diff --git a/postfix/HISTORY b/postfix/HISTORY index 4299f5c6b..c4ee6c2dd 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -12222,27 +12222,29 @@ Apologies for any names omitted. tls/tls_misc.c, tls/tls_server.c. Added smtpd_tls_protocols parameter to complement - smtp_tls_protocols. + smtp_tls_protocols. Victor Duchovni. 20060517 The smtp_tls_policy_maps table now implements parent domain matching for destinations that are bare domains (without enclosin [] or optional :port suffix). This allows one to - set TLS policy for a domain and all sub-domains. + set TLS policy for a domain and all sub-domains. Victor + Duchovni. 20060519 The same parameter can bind to different variables in different daemons, ignore the variable name when eliminating - duplicates in extract.awk. + duplicates in extract.awk. Victor Duchovni. 20060523 Improved handling of smtp_tls_protocols and smtpd_tls_protocols, names now processed via name_mask(3) and canonicalized prior to use in the SMTP/LMTP client TLS session lookup key. Also - simplifies the corresponding code in the TLS driver. + simplifies the corresponding code in the TLS driver. Victor + Duchovni. 20060524 @@ -12259,7 +12261,7 @@ Apologies for any names omitted. 20060601 Fixed default value of LMTP TLS client certificate parameters, - using the SMTP values as a default was wrong. + using the SMTP values as a default was wrong. Victor Duchovni. 20060603 @@ -12267,7 +12269,7 @@ Apologies for any names omitted. settings. We need to add the transport name to the TLS session lookup key so that sessions verified with one set of trusted roots are not inadvertantly considered verified - for another. + for another. Victor Duchovni. 20060604 @@ -12301,7 +12303,7 @@ Apologies for any names omitted. 20060606 Portability: Some systems no longer support the traditional - "sort +0 -2 +3". + "sort +0 -2 +3". Victor Duchovni. 20060607 @@ -12341,17 +12343,17 @@ Apologies for any names omitted. 20060612 Changed smtp security level parsing and level->name conversion - to use name_code(3). + to use name_code(3). Victor Duchovni. Implemented new smtp_tls_security_level parameter, to replace the unnecessarily complex smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername parameters. The main.cf security level settings are now consistent with the new - policy table. + policy table. Victor Duchovni. The smtp_sasl_tls_verified_security_options feature is not yet complete, added #ifdef SNAPSHOT and changed documentation - to delay introduction until Postfix 2.4. + to delay introduction until Postfix 2.4. Victor Duchovni. 20060614 @@ -12360,10 +12362,10 @@ Apologies for any names omitted. personality of the unified SMTP/LMTP client. Allow mandatory TLS encryption with LMTP over UNIX-domain - sockets. + sockets. Victor Duchovni. Safety: improved code to avoid I/O on connections after the - TLS handshake fails. + TLS handshake fails. Victor Duchovni. 20060615 @@ -12375,7 +12377,7 @@ Apologies for any names omitted. The qshape.pl script was updated for the pointer records that were introduced to support message content modification - by Milter applications. + by Milter applications. Victor Duchovni. 20060620 @@ -12387,7 +12389,8 @@ Apologies for any names omitted. The levels are "high", "medium" (or better), "low" (or better), "export" (or better) and "null". The underlying definitions of these levels are configurable, but users are - strongly encouraged to not change those definitions. + strongly encouraged to not change those definitions. Victor + Duchovni. 20060626 @@ -12473,11 +12476,13 @@ Apologies for any names omitted. smtpd/smtpd_check.c. Safety: the SMTP/LMTP client now defers delivery when a - SASL password exists but the server does not offer SASL - authentication. Mail could be rejected otherwise. This - may become an issue now that Postfix retries delivery in - plaintext after an opportunistic TLS handshake fails. Specify - "smtp_sasl_auth_enforce = no" to deliver mail anyway. + SASL password exists, but the server does not offer SASL + authentication. Mail could be rejected otherwise. This may + become an issue now that Postfix retries delivery in plaintext + after an opportunistic TLS handshake fails. Specify + "smtp_sasl_auth_enforce = no" to deliver mail anyway. File: + smtp/smtp_proto.c. See workaround 20060711 for sender-dependent + SASL passwords. 20060709 @@ -12489,247 +12494,42 @@ Apologies for any names omitted. as "encrypt", after logging a warning. Files: smtpd/smtpd.c, tls/tls_level.c, smtp/smtp_session.c. - Compatibility: don't send the first body line to Milter - applications. This also broke domain key etc. signatures + Compatibility: don't send the first (blank) body line to + Milter applications. This broke domain key etc. signatures when verified by non-Postfix MTAs. File: milter/milter8.c. -Wish list: +20060710 - The usage of TLScontext->cache_type is unclear. It specifies - a TLS session cache type (smtpd, smtp, or lmtp), but it is - sometimes used as an indicator that TLS session caching is - unavailable. In reality, that decision is made by not - registering call-back functions for cache maintenance. + Cleanup: more consistency between smtpd(8) and smtp(8) TLS + configuration interfaces: smtpd_tls_mandatory_exclude_ciphers, + smtpd_tls_mandatory_ciphers, smtpd_tls_mandatory_protocols. + By Victor. Files:smtpd/smtpd.c. - Postfix TLS library code should copy any strings that it - receives from the application, instead of passing them - around as pointers. TLScontext->cache_type is a case in - point. + Cleanup: to support domainkey signing of bounces and + Postmaster notices, enable content inspection of Postfix- + generated mail with the new internal_mail_filter_classes + feature. This is disabled by default, because it is not + yet safe enough. Files: global/int_filt.[hc] and everything + that calls post_mail_fopen*(). - Are transport:nexthop null fields the same as in the case - of default_transport etc. parameters? +20060711 - Introduce structured API for tls_server_mumble() just like - with smtp(8): this eliminates ever-growing lists of arguments. + Cleanup: smtpd_tls_mumble -> smtpd_tls_mandatory_mumble, + and finer control over the Postfix SMTP server TLS ciphers, + all this for consistency with the same functionality in the + Postfix SMTP client. Victor Duchovni. - Don't lose bits when converting st_dev into maildir file - name. It's 64 bits on Linux. Found with the BEAM source - code analyzer. Is this really a problem, or are they just - using 64 bits for upwards compatibility with LP64 systems? + Compatibility: Sendmail's milter client handles whitespace + after the header label and ":" in an interesting manner. + It eats one space (not tab). File: milter/milter8.c. - Do or don't introduce unknown_reverse_client_reject_code. + Workaround: if sender-depedendent SASL passwords are enabled, + don't defer delivery when a SASL password exists but the + server doesn't announce SASL support. File: smtp/smtp_proto.c. - In Milter events, mail_addr/rcpt_addr should be externalized - as they are in Sendmail. Likewise, addresses in add/delete - requests should be internalized before updating the queue - file. + Cleanup: format of cleanup milter reject messages. File: + cleanup_milter.c. - Check that "UINT32 == unsigned int" choice is ok (i.e. LP64 - UNIX). - - Tempfail when a Milter application wants content access, - while it is configured in an SMTP server that runs before - the smtpd_proxy filter. - - The sendmail command should not return non-std exit status - after fatal error in some internal library routine. - - Log DSN original recipient when rejecting mail. - - Keep whitespace between label and ":"? - - Make the map case folding/locking options configurable, if - not at run-time then at least at compile time so we get - consistent behavior across applications. - - Investigate what it would take to eliminate oqmgr, and to - make the old behavior configurable in a unified queue - manager. This would shave another 2.7 KLOC from the source - footprint. - - Document the case folding strategy for match_list like - features. - - Eliminate the (incoming,deferred)->active rename operation. - - Softbounce fallback-to-ISP for SOHO users. This requires - playing with the soft_error test in the smtp_trouble.c - module, and avoiding delivery to backup MX hosts. - - select -> kqueue, epoll, /dev/poll, poll() ... - - In the SMTP server, set a "pipelining detected" flag at the - start of a session and at protocol synchronization points, - so that reject_unauth_pipelining can be specified in any - access rule. - - Centralize main.cf parameter input so that defaults work - consistently. What about parameter names that are prefixed - with mail delivery transport names? - - Fix default time unit handling so that we can have a default - bounce lifetime of $maximal_queue_lifetime, without causing - panics when a non-default maximal_queue_lifetime setting - includes no time unit. - - After the 20051222 ISASCII paranoia, lowercase() lowercases - ASCII text only. - - Privacy: remove local command/pathname details from remote - delivery status reports, and log them via local msg_warn(). - - Remove defer(8) and trace(8) references and man pages. These - are services not program names. - - Is it safe to cache a connection after it has been used for - more than some number of address verification probes? - - Try to recognize that Resent- headers appear in blocks, - newest block first. But don't break on incorrect header - block organization. - - Hard limits on cache sizes (anvil, specifically). - - Laptop friendliness: make the qmgr remember when the next - deferred queue scan needs to be done, and have the pickup - server stat() the maildrop directory before searching it. - - Low: replace_sender/replace_recipient actions in access - maps? - - Low: configurable order of local(8) delivery methods. - - Med: local and remote source port and IP address for smtpd - policy hook. - - Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout) - to limit the total time spent trying to connect. - - Med: transform IPv4-in-IPv6 address literals to IPv4 form - when comparing against local IP addresses? - - Med: transform IPv4-in-IPv6 address literals to IPv4 form - when eliminating MX mailer loops? - - Med: Postfix requires [] around IPv6 address information - in match lists such as mynetworks, debug_peer_list etc., - but the [] must not be specified in access(5) maps. Other - places don't care. For now, this gotcha is documented in - IPV6_README and in postconf(5) with each feature that may - use IPv6 address information. The general recommendation - is not to use [] unless absolutely necessary. - - Med: the partial address matching of IPv6 addresses in - access(5) maps is a bit lame: it repeatedly truncates the - last ":octetpair" from the printable address representation - until a match is found or until truncation is no longer - possible. Since one or more ":" are usually omitted from - the printable IPv6 address representation, this does not - really try all the possibilities that one might expect to - be tried. For now, this gotcha is documented in access(5). - - Med: the TLS certificate verification depth parameters never - worked. - - Low: reject HELO with any domain name or IP address that - this MTA is the final destination for. - - Low: should the Delivered-To: test in local(8) be configurable? - - Low: make mail_addr_find() lookup configurable. - - Low: update events.c so that 1-second timer requests do not - suffer from rounding errors. This is needed for 1-second - SMTP session caching time limits. A 1-second interval would - become arbitrarily short when an event is scheduled just - before the current second rolls over. - - Low: configurable internal/system locking method. - - Low: add INSTALL section for pre-existing Postfix systems. - - Low: add INSTALL section for pre-existing RPM Postfixes. - - Low: disallow smtpd_recipient_limit < 100 (the RFC minimum). - - Low: noise filter: allow smtp(8) to retry immediately if - all MXes return a quick ECONNRESET or 4xx reply during the - initial handshake. Retry once? How many times? - - Low: make post-install a "postfix-only script" so it can - take data from the environment instead of main.cf. - - Low: randomize deferred mail backoff. - - Med: separate ulimit for delivery to command? - - Med: option to open queue file early, after MAIL FROM. This - would allow correlation of rejected RCPT TO requests with - accepted requests for the same mail transaction. - - Med: silly queue file bit so that the queue manager doesn't - skip files when fast flush is requested while a queue scan - is in progress. The bit is set by the flush server and is - reset when the mail is deferred, so that it survives queue - manager restart. It's not clear, however, how one would - unthrottle disabled transports or queues. - - Med: postsuper -r should do something with recipients in - bounce logfiles, to make sure the sender will be notified. - To be perfectly safe, no process other than the queue manager - should move a queue file away from the active queue. - - This could involve tagging a queue file, and use up another - permission bit. - - Low: postsuper re-run after renaming files, but only a - limited number of times. - - Low: smtp-source may block when sending large test messages. - - Med: make qmgr recipient bounce/defer activity asynchronous - or add a multi-recipient operation that reduces overhead. - One possibility is to pass delivery requests to a retry(8) - delivery agent which is error(8) in disguise, and which - calls defer_append() instead of bounce_append(). - - Med: find a way to log the sender address when MAIL FROM - is rejected due to lack of disk space. - - Low: revise other local delivery agent duplicate filters. - - Low: all table lookups should consistently use internalized - (unquoted) or externalized (quoted) forms as lookup keys. - smtpd, qmgr, local, etc. use unquoted address forms as keys. - cleanup uses quoted forms. - - Low: have a configurable list of errno values for mailbox - or maildir delivery that result in deferral rather than - bouncing mail. - - Low: after reorganizing configuration parameters, add flags - to all parameters whose value can be read from file. - - Medium: need in-process caching for map lookups. LDAP servers - seem to need this in particular. Need a way to expire cached - results that are too old. - - Low: generic showq protocol, to allow for more intelligent - processing than just mailq. Maybe marry this with postsuper. - - Low: default domain for appending to unqualified recipients, - so that unqualified names can be delivered locally. - - Low: The $process_id_directory setting is not used anywhere - in Postfix. Problem reported by Michael Smith, texas.net. - This should be documented, or better, the code should warn - about attempts to set read-only parameters. - - Low: postconf -e edits parameters that postconf won't list. - - Low: while converting 8bit text to quoted-printable, perhaps - use =46rom to avoid having to produce >From when delivering - to mailbox. - - virtual_mailbox_path expression like forward_path, so that - people can specify prefix and suffix. + Bugfix: file/memory leak if a transfer of multiple milters + from smtpd to cleanup broke in the middle. Found by Coverity. + File: milter/milter.c. diff --git a/postfix/README_FILES/ADDRESS_VERIFICATION_README b/postfix/README_FILES/ADDRESS_VERIFICATION_README index 15679b7b0..5db4991d1 100644 --- a/postfix/README_FILES/ADDRESS_VERIFICATION_README +++ b/postfix/README_FILES/ADDRESS_VERIFICATION_README @@ -124,6 +124,10 @@ surprises. If a recipient probe fails, then Postfix rejects mail for the recipient address. If a recipient probe succeeds, then Postfix accepts mail for the recipient address. +By default, address verification results are not saved. To avoid probing the +same address repeatedly, you can store the result in a persistent database as +described later. + /etc/postfix/main.cf: smtpd_recipient_restrictions = permit_mynetworks diff --git a/postfix/README_FILES/FILTER_README b/postfix/README_FILES/FILTER_README index 3a70f3c2b..cace42a9e 100644 --- a/postfix/README_FILES/FILTER_README +++ b/postfix/README_FILES/FILTER_README @@ -330,6 +330,7 @@ the Postfix master.cf file: # ============================================================= scan unix - - n - 10 smtp -o smtp_send_xforward_command=yes + -o disable_mime_output_conversion=yes * This runs up to 10 content filters in parallel. Instead of a limit of 10 concurrent processes, use whatever process limit is feasible for your @@ -343,6 +344,13 @@ the Postfix master.cf file: real client name IP address. See smtp(8) and XFORWARD_README for more information. + * With "-o disable_mime_output_conversion=yes", the scan delivery agent will + not convert 8BITMIME mail to quoted-printable form while delivering to the + content filter, as that would invalidate domainkeys and other digital + signatures. This workaround is needed because some SMTP-based content + filters don't announce 8BITMIME support, even though they can handle it + just fine. + AAddvvaanncceedd ccoonntteenntt ffiilltteerr:: rruunnnniinngg tthhee ccoonntteenntt ffiilltteerr The content filter can be set up with the Postfix spawn service, which is the diff --git a/postfix/README_FILES/MILTER_README b/postfix/README_FILES/MILTER_README index 05e0436a5..66356a095 100644 --- a/postfix/README_FILES/MILTER_README +++ b/postfix/README_FILES/MILTER_README @@ -12,12 +12,12 @@ FROM, etc.) as well as mail content. All this happens before mail is queued. The reason for adding Milter support to Postfix is that there exists a large collection of applications, not only to block unwanted mail, but also to verify authenticity (examples: SenderID+SPF and Domain keys) or to digitally sign mail -(example: Domain keys). Having yet another MTA-specific version of all that +(example: Domain keys). Having yet another Postfix-specific version of all that software is a poor use of human and system resources. Postfix 2.3 implements all the requests of Sendmail version 8 Milter protocols up to version 4, except one: message body replacement. See, however, the -limitations section at the end of this document. +workarounds and limitations sections at the end of this document. This document provides information on the following topics: @@ -185,7 +185,7 @@ The general syntax for listening sockets is as follows: Connect to the specified TCP port on the specified local or remote host. The host and port can be specified in numeric or symbolic form. - Note: Postfix syntax differs from Milter syntax which has the form + NOTE: Postfix syntax differs from Milter syntax which has the form iinneett::port@@host. NNoonn--SSMMTTPP MMiilltteerr aapppplliiccaattiioonnss @@ -381,10 +381,19 @@ message). WWoorrkkaarroouunnddss +Content filters may break domain key etc. signatures. If you use an SMTP-based +filter as described in FILTER_README, then you should add a line to master.cf +with "disable_mime_output_conversion = yes", as described in the advanced +content filter example. + Sendmail Milter applications were originally developed for the Sendmail version 8 MTA, which has a different architecture than Postfix. The result is that some Milter applications make assumptions that aren't true in a Postfix environment. + * Some Milter applications use the "{if_addr}" macro to recognize local mail; + this macro does not exist in Postfix. Workaround: use the "{client_addr}" + macro instead. + * Some Milter applications log a warning that looks like this: sid-filter[36540]: WARNING: sendmail symbol 'i' not available @@ -394,12 +403,13 @@ Milter applications make assumptions that aren't true in a Postfix environment. X-SenderID: Sendmail Sender-ID Filter vx.y.z host.example.com - This happens because the Milter application expects that the queue ID is + This happens because some Milter applications expect that the queue ID is known before the MTA accepts the MAIL FROM (sender) command. Postfix, on - the other hand, does not create a queue file until after Postfix accepts - the first valid RCPT TO (recipient) command. This queue file name must be - globally unique across multiple queue directories, so it cannot be chosen - until the file is actually created. + the other hand, does not choose a queue file name until after it accepts + the first valid RCPT TO (recipient) command. Postfix queue file names must + be unique across multiple directories, so the name can't be chosen before + the file is created. If multiple messages were to use the same queue ID + simultaneously, mail would be lost. To work around the ugly message header from Milter applications, we add a little code to the Milter source to look up the queue ID after Postfix @@ -411,19 +421,27 @@ Milter applications make assumptions that aren't true in a Postfix environment. o Look up the mlfi_eom() function and add code near the top shown as bboolldd text below: - sic = (Context) smfi_getpriv(ctx); - assert(sic != NULL); + dfc = cc->cctx_msg; + assert(dfc != NULL); - //** - **** DDeetteerrmmiinnee tthhee jjoobb IIDD ffoorr llooggggiinngg.. - **// - iiff ((ssiicc-->>ccttxx__jjoobbiidd ==== 00 |||| ssttrrccmmpp((ssiicc-->>ccttxx__jjoobbiidd,, MMSSGGIIDDUUNNKKNNOOWWNN)) ==== 00)) {{ + //** DDeetteerrmmiinnee tthhee jjoobb IIDD ffoorr llooggggiinngg.. **// + iiff ((ddffcc-->>mmccttxx__jjoobbiidd ==== 00 |||| ssttrrccmmpp((ddffcc-->>mmccttxx__jjoobbiidd,, JJOOBBIIDDUUNNKKNNOOWWNN)) ==== 00)) + {{ cchhaarr **jjoobbiidd == ssmmffii__ggeettssyymmvvaall((ccttxx,, ""ii""));; iiff ((jjoobbiidd !!== 00)) - ssiicc-->>ccttxx__jjoobbiidd == jjoobbiidd;; + ddffcc-->>mmccttxx__jjoobbiidd == jjoobbiidd;; }} - This does not remove the WARNING message, however. + /* get hostname; used in the X header and in new MIME boundaries */ + + NOTES: + + o Different mail filters use slightly different names for variables. If + the above code does not compile, look for the code at the start of the + mlfi_eoh() routine. + + o This fixes only the ugly message header, but not the WARNING message. + Fortunately, dk-filter logs that message only once. With some Milter applications we can fix both the WARNING and the "unknown- msgid" by postponing the call of mlfi_eoh() (or whatever routine logs the diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README index 5c7134fbb..a5353848a 100644 --- a/postfix/README_FILES/TLS_README +++ b/postfix/README_FILES/TLS_README @@ -282,8 +282,8 @@ EEnnaabblliinngg TTLLSS iinn tthhee PPoossttffiixx SSMM By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix is visible. Explicitly switch it on with -"smtpd_tls_security_level = may" (Postfix 2.3 and later) or -"smtpd_use_tls = yes" (obsolete but still supported). +"smtpd_tls_security_level = may" (Postfix 2.3 and later) or "smtpd_use_tls = +yes" (obsolete but still supported). Example: @@ -484,31 +484,38 @@ SSeerrvveerr--ssiiddee cciipphheerr ccoonnttrroollss The description below is for Postfix 2.3; for Postfix < 2.3 the smtpd_tls_cipherlist parameter specifies the acceptable ciphers as an explicit -OpenSSL cipherlist. +OpenSSL cipherlist. The obsolete setting applies even when TLS encryption is +not enforced. Use of this control on public MX hosts is strongly discouraged. + +With mandatory TLS encryption, the Postfix SMTP server will by default only use +SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. This is +controlled by the smtpd_tls_mandatory_protocols configuration parameter. The Postfix SMTP server supports 5 distinct cipher security levels as specified -by the smtpd_tls_ciphers configuration parameter. The default value is "export" -which is the only one appropriate for public MX hosts. On private MX hosts or -MSAs one can further restrict the OpenSSL cipherlist selection. +by the smtpd_tls_mandatory_ciphers configuration parameter, which determines +the cipher grade with mandatory TLS encryption. The default value is "medium" +which is essentially 128-bit encryption or better. With opportunistic TLS +encryption, the minimum accepted cipher grade is always "export". By default anonymous ciphers are allowed, and automatically disabled when client certificates are requested. If clients are expected to always verify the server certificate you may want to exclude anonymous ciphers by setting -"smtpd_tls_exclude_ciphers = aNULL". One can't force a client to check the -server certificate, so excluding anonymous ciphers is generally unnecessary. +"smtpd_tls_mandatory_exclude_ciphers = aNULL". One can't force a client to +check the server certificate, so excluding anonymous ciphers is generally +unnecessary. For a server that is not a public Internet MX host, Postfix 2.3 supports configurations with no server certificates that use oonnllyy the anonymous ciphers. This is enabled by explicitly setting "smtpd_tls_cert_file = none" and not specifying an smtpd_tls_dcert_file. -Example: (MSA that requires TLS with reasonably secure ciphers) +Example: (MSA that requires TLS with high grade ciphers) /etc/postfix/main.cf: smtpd_tls_cert_file = /etc/postfix/cert.pem smtpd_tls_key_file = /etc/postfix/key.pem - smtpd_tls_ciphers = medium - smtpd_tls_exclude_ciphers = aNULL, MD5 + smtpd_tls_mandatory_ciphers = high + smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 # Postfix 2.3 and later smtpd_tls_security_level = encrypt # Obsolete, but still supported @@ -870,7 +877,7 @@ grade or better ciphers are used. With Postfix 2.2 and earlier, or when smtp_tls_security_level is set to its default (backwards compatible) empty value, the appropriate configuration settings are "smtp_use_tls = yes" and "smtp_enforce_tls = no". For LMTP use the -corresponding "lmtp" parameters. +corresponding "lmtp_" parameters. With opportunistic TLS, mail delivery continues even if the server certificate is untrusted or bears the wrong name. Starting with Postfix 2.3, when the TLS @@ -927,7 +934,7 @@ interoperability and security guidelines. With Postfix 2.2 and earlier, or when smtp_tls_security_level is set to its default (backwards compatible) empty value, the appropriate configuration settings are "smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = no". For -LMTP use the corresponding lmtp_ parameters. +LMTP use the corresponding "lmtp_" parameters. Despite the potential for eliminating passive eavesdropping attacks, mandatory TLS encryption is not viable as a default security level for mail delivery to @@ -1022,7 +1029,7 @@ secure-channel destinations. With Postfix 2.2 and earlier, or when smtp_tls_security_level is set to its default (backwards compatible) empty value, the appropriate configuration settings are "smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes". -For LMTP use the corresponding lmtp_ parameters. +For LMTP use the corresponding "lmtp_" parameters. If the server certificate chain is trusted (see smtp_tls_CAfile and smtp_tls_CApath), any DNS names in the SubjectAlternativeName certificate @@ -1088,7 +1095,7 @@ With Postfix 2.2 and earlier, or when smtp_tls_security_level is set to its default (backwards compatible) empty value, the appropriate configuration settings are "smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes" with additional settings to harden peer certificate verification against forged -DNS data. For LMTP, use the corresponding lmtp_ parameters. +DNS data. For LMTP, use the corresponding "lmtp_" parameters. If the server certificate chain is trusted (see smtp_tls_CAfile and smtp_tls_CApath), any DNS names in the SubjectAlternativeName certificate @@ -1366,8 +1373,8 @@ are allowed. On the right hand side specify one of the following keywords: MAY Opportunistic TLS. This has less precedence than a more specific result (including "NONE") from the alternate host or next-hop lookup key, and - has less precedence than the more specific global - "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername = yes". + has less precedence than the more specific global "smtp_enforce_tls = + yes" or "smtp_tls_enforce_peername = yes". MUST_NOPEERMATCH Mandatory TLS encryption. This overrides a less secure "NONE" or a less specific "MAY" lookup result from the alternate host or next-hop lookup @@ -1498,9 +1505,9 @@ today's crypt-analytic methods. See smtp_tls_policy_maps for information on how to configure ciphers on a per-destination basis. By default anonymous ciphers are allowed, and automatically disabled when -server certificates are verified. If you want to disable even at the "encrypt" -security level, set "smtp_tls_mandatory_exclude_ciphers = aNULL", to disable -anonymous ciphers even with opportunistic TLS, set +server certificates are verified. If you want to disable anonymous ciphers even +at the "encrypt" security level, set "smtp_tls_mandatory_exclude_ciphers = +aNULL"; and to disable anonymous ciphers even with opportunistic TLS, set "smtp_tls_exclude_ciphers = aNULL". There is generally no need to take these measures. Anonymous ciphers save bandwidth and TLS session cache space, if certificates are ignored, there is little point in requesting them. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index c6822b7b5..a1ac8c040 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -1,4 +1,4 @@ -The stable Postfix release is called postfix-2.2.x where 2=major +The stable Postfix release is called postfix-2.3.x where 2=major release number, 3=minor release number, x=patchlevel. The stable release never changes except for patches that address bugs or emergencies. Patches change the patchlevel and the release date. @@ -317,9 +317,9 @@ parameters. [Feature 20060709] TLS security levels ("none", "may", "encrypt") in the Postfix SMTP server. You specify the security level with the smtpd_tls_security_level parameter. This overrides the multiple -smtpd_use_tls and smtpd_enforce_tls parameters. When a value of -"verify" or "secure" is specified, the Postfix SMTP server logs a -warning and uses "encrypt" instead. +smtpd_use_tls and smtpd_enforce_tls parameters. When one of the +unimplemented "verify" or "secure" levels is specified, the Postfix +SMTP server logs a warning and uses "encrypt" instead. [Feature 20060123] A new per-site TLS policy mechanism for the Postfix SMTP client that supports the new TLS security levels, @@ -493,7 +493,7 @@ enhanced status codes. For example, status code 5.1.1 means "recipient unknown". Postfix recognizes enhanced status codes in remote server replies, generates enhanced status codes while handling email, and reports enhanced status codes in non-delivery notifications. -This improves the user interaction with mail clients that translate +This improves the user experience with mail clients that translate enhanced status codes into text in the user's own language. You can, but don't have to, specify RFC 3463 enhanced status codes diff --git a/postfix/conf/access b/postfix/conf/access index 975bf7c16..633f4d03b 100644 --- a/postfix/conf/access +++ b/postfix/conf/access @@ -355,7 +355,7 @@ # lookups are directed to a TCP-based server. For a descrip- # tion of the TCP client/server lookup protocol, see tcp_ta- # ble(5). This feature is not available up to and including -# Postfix version 2.2. +# Postfix version 2.3. # # Each lookup operation uses the entire query string once. # Depending on the application, that string is an entire diff --git a/postfix/conf/canonical b/postfix/conf/canonical index 3ae946aaf..1dc739589 100644 --- a/postfix/conf/canonical +++ b/postfix/conf/canonical @@ -156,7 +156,7 @@ # lookups are directed to a TCP-based server. For a descrip- # tion of the TCP client/server lookup protocol, see tcp_ta- # ble(5). This feature is not available up to and including -# Postfix version 2.2. +# Postfix version 2.3. # # Each lookup operation uses the entire address once. Thus, # user@domain mail addresses are not broken up into their diff --git a/postfix/conf/generic b/postfix/conf/generic index 3d5c616c1..232e7b058 100644 --- a/postfix/conf/generic +++ b/postfix/conf/generic @@ -136,7 +136,7 @@ # lookups are directed to a TCP-based server. For a descrip- # tion of the TCP client/server lookup protocol, see tcp_ta- # ble(5). This feature is not available up to and including -# Postfix version 2.2. +# Postfix version 2.3. # # Each lookup operation uses the entire address once. Thus, # user@domain mail addresses are not broken up into their diff --git a/postfix/conf/relocated b/postfix/conf/relocated index 468dd4dc6..ba018e5bc 100644 --- a/postfix/conf/relocated +++ b/postfix/conf/relocated @@ -85,7 +85,7 @@ # regexp_table(5) or pcre_table(5). For a description of the # TCP client/server table lookup protocol, see tcp_table(5). # This feature is not available up to and including Postfix -# version 2.2. +# version 2.3. # # Each pattern is a regular expression that is applied to # the entire address being looked up. Thus, user@domain mail @@ -106,7 +106,7 @@ # lookups are directed to a TCP-based server. For a descrip- # tion of the TCP client/server lookup protocol, see tcp_ta- # ble(5). This feature is not available up to and including -# Postfix version 2.2. +# Postfix version 2.3. # # Each lookup operation uses the entire address once. Thus, # user@domain mail addresses are not broken up into their diff --git a/postfix/conf/transport b/postfix/conf/transport index e83b52a09..da6e0ef40 100644 --- a/postfix/conf/transport +++ b/postfix/conf/transport @@ -237,7 +237,7 @@ # lookups are directed to a TCP-based server. For a descrip- # tion of the TCP client/server lookup protocol, see tcp_ta- # ble(5). This feature is not available up to and including -# Postfix version 2.2. +# Postfix version 2.3. # # Each lookup operation uses the entire recipient address # once. Thus, some.domain.hierarchy is not looked up via diff --git a/postfix/conf/virtual b/postfix/conf/virtual index 1790f062a..64e2a26fa 100644 --- a/postfix/conf/virtual +++ b/postfix/conf/virtual @@ -203,7 +203,7 @@ # lookups are directed to a TCP-based server. For a descrip- # tion of the TCP client/server lookup protocol, see tcp_ta- # ble(5). This feature is not available up to and including -# Postfix version 2.2. +# Postfix version 2.3. # # Each lookup operation uses the entire address once. Thus, # user@domain mail addresses are not broken up into their diff --git a/postfix/html/ADDRESS_VERIFICATION_README.html b/postfix/html/ADDRESS_VERIFICATION_README.html index 364dea607..7f6ab85ca 100644 --- a/postfix/html/ADDRESS_VERIFICATION_README.html +++ b/postfix/html/ADDRESS_VERIFICATION_README.html @@ -230,6 +230,10 @@ and there are no surprises. If a recipient probe fails, then Postfix rejects mail for the recipient address. If a recipient probe succeeds, then Postfix accepts mail for the recipient address.

+

By default, address verification results are not saved. To avoid +probing the same address repeatedly, you can store the result in a +persistent database as described later.

+ 
 /etc/postfix/main.cf:
diff --git a/postfix/html/FILTER_README.html b/postfix/html/FILTER_README.html
index 10c8f2c26..01d08b6d7 100644
--- a/postfix/html/FILTER_README.html
+++ b/postfix/html/FILTER_README.html
@@ -615,6 +615,7 @@ how one would set up the service in the Postfix master.c
     # =============================================================
     scan      unix  -       -       n       -       10      smtp
         -o smtp_send_xforward_command=yes
+        -o disable_mime_output_conversion=yes
@@ -633,6 +634,13 @@ after-filter smtpd process, so that filtered mail is logged with the real client name IP address. See smtp(8) and XFORWARD_README for more information.

+

  • With "-o disable_mime_output_conversion=yes", the scan +delivery agent will not convert 8BITMIME mail to quoted-printable +form while delivering to the content filter, as that would invalidate +domainkeys and other digital signatures. This workaround is needed +because some SMTP-based content filters don't announce 8BITMIME +support, even though they can handle it just fine.

    +

    Advanced content filter: running the content filter

    diff --git a/postfix/html/MILTER_README.html b/postfix/html/MILTER_README.html index b53a258b9..1ae1d0676 100644 --- a/postfix/html/MILTER_README.html +++ b/postfix/html/MILTER_README.html @@ -32,13 +32,14 @@ href="http://sourceforge.net/projects/sid-milter/">SenderID+SPF and Domain keys) or to digitally sign mail (example: Domain keys). -Having yet another MTA-specific version of all that software is a -poor use of human and system resources.

    +Having yet another Postfix-specific version of all that software +is a poor use of human and system resources.

    Postfix 2.3 implements all the requests of Sendmail version 8 Milter protocols up to version 4, except one: message body replacement. -See, however, the limitations section -at the end of this document.

    +See, however, the workarounds and limitations sections at the end of this +document.

    This document provides information on the following topics:

    @@ -337,7 +338,7 @@ Connect to the specified TCP port on the specified local or remote host. The host and port can be specified in numeric or symbolic form.

    -

    Note: Postfix syntax differs from Milter syntax which has the +

    NOTE: Postfix syntax differs from Milter syntax which has the form inet:port@host.

    @@ -611,6 +612,13 @@ TO

    Workarounds

    +

    Content filters may break domain key etc. signatures. If you +use an SMTP-based filter as described in FILTER_README, then you +should add a line to master.cf with "disable_mime_output_conversion += yes", as described in the advanced content filter +example.

    +

    Sendmail Milter applications were originally developed for the Sendmail version 8 MTA, which has a different architecture than Postfix. The result is that some Milter applications make assumptions @@ -618,6 +626,10 @@ that aren't true in a Postfix environment.

    diff --git a/postfix/html/access.5.html b/postfix/html/access.5.html index a55106809..1500b784a 100644 --- a/postfix/html/access.5.html +++ b/postfix/html/access.5.html @@ -361,7 +361,7 @@ ACCESS(5) ACCESS(5) lookups are directed to a TCP-based server. For a descrip- tion of the TCP client/server lookup protocol, see tcp_ta- ble(5). This feature is not available up to and including - Postfix version 2.2. + Postfix version 2.3. Each lookup operation uses the entire query string once. Depending on the application, that string is an entire diff --git a/postfix/html/bounce.8.html b/postfix/html/bounce.8.html index f50ef1224..6256c3efc 100644 --- a/postfix/html/bounce.8.html +++ b/postfix/html/bounce.8.html @@ -108,6 +108,11 @@ BOUNCE(8) BOUNCE(8) The time limit for sending or receiving information over an internal communication channel. + internal_mail_filter_classes (empty) + What categories of Postfix-generated mail are sub- + ject to before-queue content inspection by + non_smtpd_milters, header_checks and body_checks. + mail_name (Postfix) The mail system name that is displayed in Received: headers, in the SMTP greeting banner, and in diff --git a/postfix/html/canonical.5.html b/postfix/html/canonical.5.html index fbcfc5e66..8ee71e649 100644 --- a/postfix/html/canonical.5.html +++ b/postfix/html/canonical.5.html @@ -162,7 +162,7 @@ CANONICAL(5) CANONICAL(5) lookups are directed to a TCP-based server. For a descrip- tion of the TCP client/server lookup protocol, see tcp_ta- ble(5). This feature is not available up to and including - Postfix version 2.2. + Postfix version 2.3. Each lookup operation uses the entire address once. Thus, user@domain mail addresses are not broken up into their diff --git a/postfix/html/generic.5.html b/postfix/html/generic.5.html index 8ff79b1bb..e0c2a5e00 100644 --- a/postfix/html/generic.5.html +++ b/postfix/html/generic.5.html @@ -142,7 +142,7 @@ GENERIC(5) GENERIC(5) lookups are directed to a TCP-based server. For a descrip- tion of the TCP client/server lookup protocol, see tcp_ta- ble(5). This feature is not available up to and including - Postfix version 2.2. + Postfix version 2.3. Each lookup operation uses the entire address once. Thus, user@domain mail addresses are not broken up into their diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index a6c7fc76a..0600eabab 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -1002,7 +1002,8 @@ the Postfix SMTP client returns such mail as undeliverable.

    Specify, for example, "best_mx_transport = local" to pass the mail -from the SMTP client to the local(8) delivery agent. You can specify +from the Postfix SMTP client to the local(8) delivery agent. You +can specify any message delivery "transport" or "transport:nexthop" that is defined in the master.cf file. See the transport(5) manual page for the syntax and meaning of "transport" or "transport:nexthop". @@ -2858,7 +2859,8 @@ for IPv6.

    A better solution for multi-homed firewalls is to leave inet_interfaces at the default value and instead use explicit IP addresses in -the master.cf SMTP server definitions. This preserves the SMTP client's +the master.cf SMTP server definitions. This preserves the Postfix +SMTP client's loop detection, by ensuring that each side of the firewall knows that the other IP address is still the same host. Setting $inet_interfaces to a single IPv4 and/or IPV6 address is primarily useful with virtual @@ -2949,6 +2951,32 @@ block all mail to a site.

    + + +
    internal_mail_filter_classes +(default: empty)
    + +

    What categories of Postfix-generated mail are subject to +before-queue content inspection by non_smtpd_milters, header_checks +and body_checks. Specify zero or more of the following, separated +by whitespace or comma.

    + +
    + +
    bounce
    Inspect the content of delivery +status notifications.
    + +
    notify
    Inspect the content of postmaster +notifications by the smtp(8) and smtpd(8) processes.
    + +
    + +

    NOTE: It's generally not safe to enable content inspection of +Postfix-generated email messages. The user is warned.

    + +

    This feature is available in Postfix 2.3 and later.

    + +
    invalid_hostname_reject_code @@ -4155,8 +4183,8 @@ lists: Postfix needs to know only if a lookup string is found or not, but it does not use the result from table lookup.

    -If this parameter is non-empty (the default), then the Postfix SMTP server -will reject mail for unknown local users. +If this parameter is non-empty (the default), then the Postfix SMTP +server will reject mail for unknown local users.

    @@ -6813,8 +6841,8 @@ the word "ESMTP" appears in the server greeting banner (example: (default: empty)

    -An optional numerical network address that the SMTP client should -bind to when making an IPv4 connection. +An optional numerical network address that the Postfix SMTP client +should bind to when making an IPv4 connection.

    @@ -6844,8 +6872,8 @@ but this form is not recommended here.

    (default: empty)

    -An optional numerical network address that the SMTP client should -bind to when making an IPv6 connection. +An optional numerical network address that the Postfix SMTP client +should bind to when making an IPv6 connection.

    This feature is available in Postfix 2.2 and later.

    @@ -6898,7 +6926,8 @@ zero (use the operating system built-in time limit).

    -When no connection can be made within the deadline, the SMTP client +When no connection can be made within the deadline, the Postfix +SMTP client tries the next address on the mail exchanger list. Specify 0 to disable the time limit (i.e. use whatever timeout is implemented by the operating system). @@ -7089,7 +7118,7 @@ The default time unit is s (seconds).

    The SMTP client time limit for sending the SMTP message content. When the connection makes no progress for more than $smtp_data_xfer_timeout -seconds the SMTP client terminates the transfer. +seconds the Postfix SMTP client terminates the transfer.

    @@ -7156,7 +7185,7 @@ into concurrency per recipient.

    Lookup tables, indexed by the remote SMTP server address, with case insensitive lists of EHLO keywords (pipelining, starttls, auth, -etc.) that the SMTP client will ignore in the EHLO response from a +etc.) that the Postfix SMTP client will ignore in the EHLO response from a remote SMTP server. See smtp_discard_ehlo_keywords for details. The table is not indexed by hostname for consistency with smtpd_discard_ehlo_keyword_address_maps.

    @@ -7170,8 +7199,8 @@ table is not indexed by hostname for consistency with (default: empty)

    A case insensitive list of EHLO keywords (pipelining, starttls, -auth, etc.) that the SMTP client will ignore in the EHLO response -from a remote SMTP server.

    +auth, etc.) that the Postfix SMTP client will ignore in the EHLO +response from a remote SMTP server.

    This feature is available in Postfix 2.2 and later.

    @@ -7311,7 +7340,7 @@ The default time unit is s (seconds). (default: dns)

    -What mechanisms when the SMTP client uses to look up a host's IP +What mechanisms when the Postfix SMTP client uses to look up a host's IP address. This parameter is ignored when DNS lookups are disabled.

    @@ -7566,9 +7595,10 @@ Example:
    smtp_sasl_auth_enforce (default: yes)
    -

    Defer mail delivery when an SMTP server does not support SASL -authentication, while smtp_sasl_password_maps contains SASL -login/password information for that server.

    +

    If sender-dependent SASL passwords are turned off, defer mail +delivery when an SMTP server does not support SASL authentication, +while smtp_sasl_password_maps contains SASL login/password information +for that server.

    This feature is available in Postfix 2.3 and later.

    @@ -7728,8 +7758,8 @@ for authentication. The available types are listed with the (default: no)

    -Send the non-standard XFORWARD command when the Postfix SMTP server EHLO -response announces XFORWARD support. +Send the non-standard XFORWARD command when the Postfix SMTP server +EHLO response announces XFORWARD support.

    @@ -7751,7 +7781,7 @@ This feature is available in Postfix 2.1 and later. (default: no)

    -Enable sender-dependent authentication in the SMTP client; this is +Enable sender-dependent authentication in the Postfix SMTP client; this is available only with SASL authentication, and disables SMTP connection caching to ensure that mail from different senders will use the appropriate credentials.

    @@ -7920,7 +7950,7 @@ hence pass the "openssl verify -purpose sslclient ..." test.

    (default: empty)

    Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS -cipher list. As this feature applies to all security levels, it is easy +cipher list. As this feature applies to all TLS security levels, it is easy to create inter-operability problems by choosing a non-default cipher list. Do not use a non-default TLS cipher list on hosts that deliver email to the public Internet: you will be unable to send email to servers that @@ -7974,7 +8004,7 @@ specified with $smtp_tls_cert_file<

    smtp_tls_enforce_peername (default: yes)
    -

    When TLS encryption is enforced, require that the remote SMTP +

    With mandatory TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP server certificate. As of RFC 2487 the requirements for hostname checking for MTA clients are not specified.

    @@ -7997,8 +8027,9 @@ Postfix 2.3 and later use smtp
    smtp_tls_exclude_ciphers (default: empty)
    -

    List of ciphers or cipher types to exclude from the SMTP client cipher -list at all security levels. This is not an OpenSSL cipherlist, it is +

    List of ciphers or cipher types to exclude from the Postfix +SMTP client cipher +list at all TLS security levels. This is not an OpenSSL cipherlist, it is a simple list separated by whitespace and/or commas. The elements are a single cipher, or one or more "+" separated cipher properties, in which case only ciphers matching all the properties are excluded.

    @@ -8080,12 +8111,13 @@ loglevel 4 is strongly discouraged.

    smtp_tls_mandatory_ciphers (default: medium)
    -

    The minimum SMTP client TLS cipher grade that is strong enough to -be used with the "encrypt" security level and higher. The default -value "medium" is suitable for most destinations with which you may -want to enforce TLS, and is beyond the reach of today's crypt-analytic -methods. See smtp_tls_policy_maps for information on how to configure -ciphers on a per-destination basis.

    +

    The minimum TLS cipher grade that the Postfix SMTP client will +use with +mandatory TLS encryption. The default value "medium" is suitable +for most destinations with which you may want to enforce TLS, and +is beyond the reach of today's crypt-analytic methods. See +smtp_tls_policy_maps for information on how to configure ciphers +on a per-destination basis.

    The following cipher grades are supported:

    @@ -8155,11 +8187,10 @@ encryption or authentication).
    smtp_tls_mandatory_exclude_ciphers (default: empty)
    -

    List of ciphers or cipher types to exclude from the SMTP client -cipher list at the mandatory TLS security levels: "encrypt", "verify" -and "secure". See smtp_tls_exclude_ciphers for syntax details. When -both "exclude" parameters are defined, the combined list of ciphers is -excluded (provided the TLS security level is "encrypt" or higher).

    +

    Additional list of ciphers or cipher types to exclude from the +SMTP client cipher list at mandatory TLS security levels. This list +works in addition to the exclusions listed with smtp_tls_exclude_ciphers +(see there for syntax details).

    This feature is available in Postfix 2.3 and later.

    @@ -8169,8 +8200,8 @@ excluded (provided the TLS security level is "encrypt" or higher).

    smtp_tls_mandatory_protocols (default: SSLv3, TLSv1)
    -

    List of TLS protocol versions that are secure enough to be used -with the "encrypt" security level and higher. In main.cf the values +

    List of TLS protocols that the Postfix SMTP client will use +with mandatory TLS encryption. In main.cf the values are separated by whitespace, commas or colons. In the policy table (see smtp_tls_policy_maps) the only valid separator is colon. An empty value means allow all protocols. The valid protocol names, @@ -9788,7 +9819,7 @@ null sender address.

    smtpd_peername_lookup (default: yes)
    -

    Attempt to look up the SMTP client hostname, and verify that +

    Attempt to look up the Postfix SMTP client hostname, and verify that the name matches the client IP address. A client name is set to "unknown" when it cannot be looked up or verified, or when name lookup is disabled. Turning off name lookup reduces delays due to @@ -10868,81 +10899,7 @@ clients.

    Note: do not use "" quotes around the parameter value.

    This feature is available with Postfix version 2.2. It is not used with -Postfix 2.3 and later; use smtpd_tls_ciphers instead.

    - - -
    - -
    smtpd_tls_ciphers -(default: export)
    - -

    The minimum acceptable SMTP server TLS cipher grade. It is easy to -create inter-operability problems by choosing a non-default cipher grade. -Do not use a stronger than default minimum cipher grade for MX hosts on -the public Internet. Clients that begin the TLS handshake, but are unable -to agree on a common cipher, may not be able to send any email to the -SMTP server. Using a restricted cipher list may be more appropriate for a -dedicated MSA or an internal mailhub, where one can exert some control over -the TLS software and settings of the connecting clients. Configurations -with no certificates are also not likely to inter-operate with most -clients, see the notes for "smtpd_tls_cert_file".

    - -

    The following cipher grades are supported:

    - -
    -
    export
    -
    Enable the mainstream "EXPORT" grade or better OpenSSL ciphers. -This is the most appropriate setting for public MX hosts. The underlying -cipherlist is specified via the tls_export_cipherlist configuration -parameter, which you are strongly encouraged to not change. The default -value of tls_export_cipherlist includes anonymous ciphers, but these -are automatically filtered out if the server is configured to ask for -client certificates. If you must always exclude anonymous ciphers, -set "smtpd_tls_exclude_ciphers = aNULL".
    - -
    low
    -
    Enable the mainstream "LOW" grade or better OpenSSL ciphers. This -setting is only appropriate for internal mail servers. The underlying -cipherlist is specified via the tls_low_cipherlist configuration -parameter, which you are strongly encouraged to not change. The default -value of tls_low_cipherlist includes anonymous ciphers, but these -are automatically filtered out if the server is configured to ask for -client certificates. If you must always exclude anonymous ciphers, -set "smtpd_tls_exclude_ciphers = aNULL".
    - -
    medium
    -
    Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. This -setting is only appropriate for internal mail servers. The underlying -cipherlist is specified via the tls_medium_cipherlist configuration -parameter, which you are strongly encouraged to not change. The default -value of tls_medium_cipherlist includes anonymous ciphers, but these -are automatically filtered out if the server is configured to ask for -client certificates. If you must always exclude anonymous ciphers, -set "smtpd_tls_exclude_ciphers = aNULL".
    - -
    high
    -
    Enable only the mainstream "HIGH" grade OpenSSL ciphers. This -setting is only appropriate for internal mail servers. The underlying -cipherlist is specified via the tls_high_cipherlist configuration -parameter, which you are strongly encouraged to not change. The default -value of tls_high_cipherlist includes anonymous ciphers, but these -are automatically filtered out if the server is configured to ask for -client certificates. If you must always exclude anonymous ciphers, set -"smtpd_tls_exclude_ciphers = aNULL".
    - -
    null
    -
    Enable only the "NULL" OpenSSL ciphers, these provide authentication -without encryption. This setting is only appropriate in the rare -case that all clients are prepared to use NULL ciphers (not normally -enabled in TLS clients). The underlying cipherlist is specified via the -tls_null_cipherlist configuration parameter, which you are strongly -encouraged to not change. The default value of tls_null_cipherlist -excludes anonymous ciphers (OpenSSL 0.9.8 has NULL ciphers that offer -data integrity without encryption or authentication).
    - -
    - -

    This feature is available in Postfix 2.3 and later.

    +Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.

    @@ -10983,7 +10940,7 @@ openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024

    Your actual source for entropy may differ. Some systems have /dev/random; on other system you may consider using the "Entropy -Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/. +Gathering Daemon EGD", available at http://egd.sourceforge.net/

    Example:

    @@ -11036,10 +10993,12 @@ must be accessible without password.

    (default: empty)

    List of ciphers or cipher types to exclude from the SMTP server -cipher list. This is not an OpenSSL cipherlist; it is a simple list -separated by whitespace and/or commas. The elements are a single -cipher, or one or more "+" separated cipher properties, in which -case only ciphers matching all the properties are excluded.

    +cipher list at all TLS security levels. Excluding valid ciphers +can create interoperability problems. DO NOT exclude ciphers unless it +is essential to do so. This is not an OpenSSL cipherlist; it is a simple +list separated by whitespace and/or commas. The elements are a single +cipher, or one or more "+" separated cipher properties, in which case +only ciphers matching all the properties are excluded.

    Examples (some of these will cause problems):

    @@ -11107,23 +11066,115 @@ loglevel 4 is strongly discouraged.

    -
    smtpd_tls_protocols +
    smtpd_tls_mandatory_ciphers +(default: medium)
    + +

    The minimum TLS cipher grade that the Postfix SMTP server will +use with mandatory +TLS encryption. Cipher types listed in smtpd_tls_mandatory_exclude_ciphers +or smtpd_tls_exclude_ciphers are excluded from the base definition +of the selected cipher grade. With opportunistic TLS encryption, +the "export" grade is used unconditionally with exclusions specified +only via smtpd_tls_exclude_ciphers.

    + +

    The following cipher grades are supported:

    + +
    +
    export
    +
    Enable the mainstream "EXPORT" grade or better OpenSSL ciphers. +This is the most appropriate setting for public MX hosts, and is always +used with opportunistic TLS encryption. The underlying cipherlist +is specified via the tls_export_cipherlist configuration parameter, +which you are strongly encouraged to not change. The default value +of tls_export_cipherlist includes anonymous ciphers, but these are +automatically filtered out if the server is configured to ask for +client certificates. If you must always exclude anonymous ciphers, +set "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers +only when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers = +aNULL".
    + +
    low
    +
    Enable the mainstream "LOW" grade or better OpenSSL ciphers. The +underlying cipherlist is specified via the tls_low_cipherlist +configuration parameter, which you are strongly encouraged to +not change. The default value of tls_low_cipherlist includes +anonymous ciphers, but these are automatically filtered out if the +server is configured to ask for client certificates. If you must +always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers = +aNULL". To exclude anonymous ciphers only when TLS is enforced, set +"smtpd_tls_mandatory_exclude_ciphers = aNULL".
    + +
    medium
    +
    Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. These +are essentially the 128-bit or stronger ciphers. This is the default +minimum strength for mandatory TLS encryption. MSAs that enforce +TLS and have clients that do not support any "MEDIUM" or "HIGH" +grade ciphers, may need to configure a weaker ("low" or "export") +minimum cipher grade. The underlying cipherlist is specified via the +tls_medium_cipherlist configuration parameter, which you are strongly +encouraged to not change. The default value of tls_medium_cipherlist +includes anonymous ciphers, but these are automatically filtered out if +the server is configured to ask for client certificates. If you must +always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers = +aNULL". To exclude anonymous ciphers only when TLS is enforced, set +"smtpd_tls_mandatory_exclude_ciphers = aNULL".
    + +
    high
    +
    Enable only the mainstream "HIGH" grade OpenSSL ciphers. The +underlying cipherlist is specified via the tls_high_cipherlist +configuration parameter, which you are strongly encouraged to +not change. The default value of tls_high_cipherlist includes +anonymous ciphers, but these are automatically filtered out if the +server is configured to ask for client certificates. If you must +always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers = +aNULL". To exclude anonymous ciphers only when TLS is enforced, set +"smtpd_tls_mandatory_exclude_ciphers = aNULL".
    + +
    null
    +
    Enable only the "NULL" OpenSSL ciphers, these provide authentication +without encryption. This setting is only appropriate in the rare +case that all clients are prepared to use NULL ciphers (not normally +enabled in TLS clients). The underlying cipherlist is specified via the +tls_null_cipherlist configuration parameter, which you are strongly +encouraged to not change. The default value of tls_null_cipherlist +excludes anonymous ciphers (OpenSSL 0.9.8 has NULL ciphers that offer +data integrity without encryption or authentication).
    + +
    + +

    This feature is available in Postfix 2.3 and later.

    + + +
    + +
    smtpd_tls_mandatory_exclude_ciphers (default: empty)
    -

    The list of TLS protocols supported by the Postfix SMTP server. -If the list is empty, the server supports all available TLS protocol -versions. A non-empty value is a list of protocol names separated -by whitespace, commas or colons. The supported protocol names are -"SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.

    +

    Additional list of ciphers or cipher types to exclude from the +SMTP server cipher list at mandatory TLS security levels. This list +works in addition to the exclusions listed with smtpd_tls_exclude_ciphers +(see there for syntax details).

    -

    DO NOT set this to a non-default value on an Internet MX host, -as this may cause inter-operability problems. If you restrict the -protocol list on an Internet MX host, you may lose mail.

    +

    This feature is available in Postfix 2.3 and later.

    + + +
    + +
    smtpd_tls_mandatory_protocols +(default: SSLv3, TLSv1)
    + +

    The TLS protocols accepted by the Postfix SMTP server with +mandatory TLS encryption. With opportunistic TLS encryption, all +protocols are always accepted. If the list is empty, the server +supports all available TLS protocol versions. A non-empty value +is a list of protocol names separated by whitespace, commas or +colons. The supported protocol names are "SSLv2", "SSLv3" and +"TLSv1", and are not case sensitive.

    Example: 

    -smtpd_tls_protocols = SSLv3, TLSv1
+smtpd_tls_mandatory_protocols = SSLv3, TLSv1

    This feature is available in Postfix 2.3 and later.

    @@ -11149,7 +11200,7 @@ that was recorded by the final destination can be trusted.

    smtpd_tls_req_ccert (default: no)
    -

    When TLS encryption is enforced, require a remote SMTP client +

    With mandatory TLS encryption, require a remote SMTP client certificate in order to allow TLS connections to proceed. This option implies "smtpd_tls_ask_ccert = yes".

    @@ -11200,6 +11251,8 @@ encrypt" implies "smtpd_tls_auth_o offer STARTTLS due to insufficient privileges to access the server private key. This is intended behavior.

    +

    This feature is available in Postfix 2.3 and later.

    +
    @@ -11528,7 +11581,7 @@ bytes (equivalent to 256 bits) is sufficient to generate a 128bit (default: ALL:+RC4:@STRENGTH)

    The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This -defines the meaning of the "export" setting in smtpd_tls_ciphers, +defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are @@ -11543,7 +11596,7 @@ strongly encouraged to not change this setting.

    (default: !EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH)

    The OpenSSL cipherlist for "HIGH" grade ciphers. This defines -the meaning of the "high" setting in smtpd_tls_ciphers, +the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change this setting.

    @@ -11556,7 +11609,7 @@ strongly encouraged to not change this setting.

    (default: !EXPORT:ALL:+RC4:@STRENGTH)

    The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines -the meaning of the "low" setting in smtpd_tls_ciphers, +the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change this setting.

    @@ -11569,7 +11622,7 @@ strongly encouraged to not change this setting.

    (default: !EXPORT:!LOW:ALL:+RC4:@STRENGTH)

    The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This -defines the meaning of the "medium" setting in smtpd_tls_ciphers, +defines the meaning of the "medium" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server @@ -11586,7 +11639,7 @@ setting.

    The OpenSSL cipherlist for "NULL" grade ciphers that provide authentication without encryption. This defines the meaning of the "null" -setting in smtpd_tls_ciphers, smtp_tls_mandatory_ciphers and +setting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change this setting.

    diff --git a/postfix/html/relocated.5.html b/postfix/html/relocated.5.html index bc82e5b50..f3d27d524 100644 --- a/postfix/html/relocated.5.html +++ b/postfix/html/relocated.5.html @@ -91,7 +91,7 @@ RELOCATED(5) RELOCATED(5) regexp_table(5) or pcre_table(5). For a description of the TCP client/server table lookup protocol, see tcp_table(5). This feature is not available up to and including Postfix - version 2.2. + version 2.3. Each pattern is a regular expression that is applied to the entire address being looked up. Thus, user@domain mail @@ -112,7 +112,7 @@ RELOCATED(5) RELOCATED(5) lookups are directed to a TCP-based server. For a descrip- tion of the TCP client/server lookup protocol, see tcp_ta- ble(5). This feature is not available up to and including - Postfix version 2.2. + Postfix version 2.3. Each lookup operation uses the entire address once. Thus, user@domain mail addresses are not broken up into their diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index c1aa2caca..ca2302a55 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -206,14 +206,14 @@ SMTP(8) SMTP(8) Lookup tables, indexed by the remote SMTP server address, with case insensitive lists of EHLO key- words (pipelining, starttls, auth, etc.) that the - SMTP client will ignore in the EHLO response from a - remote SMTP server. + Postfix SMTP client will ignore in the EHLO + response from a remote SMTP server. smtp_discard_ehlo_keywords (empty) A case insensitive list of EHLO keywords (pipelin- - ing, starttls, auth, etc.) that the SMTP client - will ignore in the EHLO response from a remote SMTP - server. + ing, starttls, auth, etc.) that the Postfix SMTP + client will ignore in the EHLO response from a + remote SMTP server. smtp_generic_maps (empty) Optional lookup tables that perform address rewrit- @@ -294,109 +294,99 @@ SMTP(8) SMTP(8) Available in Postfix version 2.3 and later: smtp_sasl_auth_enforce (yes) - Defer mail delivery when an SMTP server does not - support SASL authentication, while smtp_sasl_pass- - word_maps contains SASL login/password information + If sender-dependent SASL passwords are turned off, + defer mail delivery when an SMTP server does not + support SASL authentication, while smtp_sasl_pass- + word_maps contains SASL login/password information for that server. smtp_sender_dependent_authentication (no) - Enable sender-dependent authentication in the SMTP - client; this is available only with SASL authenti- - cation, and disables SMTP connection caching to - ensure that mail from different senders will use - the appropriate credentials. + Enable sender-dependent authentication in the Post- + fix SMTP client; this is available only with SASL + authentication, and disables SMTP connection + caching to ensure that mail from different senders + will use the appropriate credentials. smtp_sasl_path (empty) - Implementation-specific information that is passed - through to the SASL plug-in implementation that is + Implementation-specific information that is passed + through to the SASL plug-in implementation that is selected with smtp_sasl_type. smtp_sasl_type (cyrus) - The SASL plug-in type that the Postfix SMTP client + The SASL plug-in type that the Postfix SMTP client should use for authentication. STARTTLS SUPPORT CONTROLS - Detailed information about STARTTLS configuration may be + Detailed information about STARTTLS configuration may be found in the TLS_README document. smtp_tls_security_level (empty) The default SMTP TLS security level for the Postfix - SMTP client; when a non-empty value is specified, - this overrides the obsolete parameters + SMTP client; when a non-empty value is specified, + this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername. smtp_sasl_tls_security_options ($smtp_sasl_secu- rity_options) - The SASL authentication security options that the - Postfix SMTP client uses for TLS encrypted SMTP + The SASL authentication security options that the + Postfix SMTP client uses for TLS encrypted SMTP sessions. smtp_starttls_timeout (300s) - Time limit for Postfix SMTP client write and read - operations during TLS startup and shutdown hand- + Time limit for Postfix SMTP client write and read + operations during TLS startup and shutdown hand- shake procedures. smtp_tls_CAfile (empty) - The file with the certificate of the certification - authority (CA) that issued the Postfix SMTP client + The file with the certificate of the certification + authority (CA) that issued the Postfix SMTP client certificate. smtp_tls_CApath (empty) - Directory with PEM format certificate authority - certificates that the Postfix SMTP client uses to + Directory with PEM format certificate authority + certificates that the Postfix SMTP client uses to verify a remote SMTP server certificate. smtp_tls_cert_file (empty) - File with the Postfix SMTP client RSA certificate + File with the Postfix SMTP client RSA certificate in PEM format. smtp_tls_mandatory_ciphers (medium) - The minimum SMTP client TLS cipher grade that is - strong enough to be used with the "encrypt" secu- - rity level and higher. + The minimum TLS cipher grade that the Postfix SMTP + client will use with mandatory TLS encryption. smtp_tls_exclude_ciphers (empty) List of ciphers or cipher types to exclude from the - SMTP client cipher list at all security levels. + Postfix SMTP client cipher list at all TLS security + levels. smtp_tls_mandatory_exclude_ciphers (empty) - List of ciphers or cipher types to exclude from the - SMTP client cipher list at the mandatory TLS secu- - rity levels: "encrypt", "verify" and "secure". + Additional list of ciphers or cipher types to + exclude from the SMTP client cipher list at manda- + tory TLS security levels. smtp_tls_dcert_file (empty) - File with the Postfix SMTP client DSA certificate + File with the Postfix SMTP client DSA certificate in PEM format. smtp_tls_dkey_file ($smtp_tls_dcert_file) - File with the Postfix SMTP client DSA private key + File with the Postfix SMTP client DSA private key in PEM format. smtp_tls_key_file ($smtp_tls_cert_file) - File with the Postfix SMTP client RSA private key + File with the Postfix SMTP client RSA private key in PEM format. smtp_tls_loglevel (0) - Enable additional Postfix SMTP client logging of + Enable additional Postfix SMTP client logging of TLS activity. smtp_tls_note_starttls_offer (no) - Log the hostname of a remote SMTP server that - offers STARTTLS, when TLS is not already enabled + Log the hostname of a remote SMTP server that + offers STARTTLS, when TLS is not already enabled for that server. - smtp_tls_policy_maps (empty) - Optional lookup tables with the Postfix SMTP client - TLS security policy by next-hop destination; when a - non-empty value is specified, this overrides the - obsolete smtp_tls_per_site parameter. - - smtp_tls_mandatory_protocols (SSLv3, TLSv1) - List of TLS protocol versions that are secure - enough to be used with the "encrypt" security level - and higher. - smtp_tls_scert_verifydepth (5) The verification depth for remote SMTP server cer- tificates. @@ -467,7 +457,7 @@ SMTP(8) SMTP(8) clear. smtp_tls_enforce_peername (yes) - When TLS encryption is enforced, require that the + With mandatory TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP server certificate. @@ -476,30 +466,34 @@ SMTP(8) SMTP(8) TLS usage policy by next-hop destination and by remote SMTP server hostname. + smtp_tls_cipherlist (empty) + Obsolete Postfix < 2.3 control for the Postfix SMTP + client TLS cipher list. + RESOURCE AND RATE CONTROLS smtp_destination_concurrency_limit ($default_destina- tion_concurrency_limit) - The maximal number of parallel deliveries to the - same destination via the smtp message delivery + The maximal number of parallel deliveries to the + same destination via the smtp message delivery transport. smtp_destination_recipient_limit ($default_destina- tion_recipient_limit) - The maximal number of recipients per delivery via + The maximal number of recipients per delivery via the smtp message delivery transport. smtp_connect_timeout (30s) - The SMTP client time limit for completing a TCP + The SMTP client time limit for completing a TCP connection, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The SMTP client time limit for sending the HELO or - EHLO command, and for receiving the initial server + The SMTP client time limit for sending the HELO or + EHLO command, and for receiving the initial server response. lmtp_lhlo_timeout (300s) - The LMTP client time limit for sending the LHLO + The LMTP client time limit for sending the LHLO command, and for receiving the initial server response. @@ -508,30 +502,30 @@ SMTP(8) SMTP(8) command, and for receiving the server response. smtp_mail_timeout (300s) - The SMTP client time limit for sending the MAIL - FROM command, and for receiving the server + The SMTP client time limit for sending the MAIL + FROM command, and for receiving the server response. smtp_rcpt_timeout (300s) - The SMTP client time limit for sending the SMTP - RCPT TO command, and for receiving the server + The SMTP client time limit for sending the SMTP + RCPT TO command, and for receiving the server response. smtp_data_init_timeout (120s) - The SMTP client time limit for sending the SMTP - DATA command, and for receiving the server + The SMTP client time limit for sending the SMTP + DATA command, and for receiving the server response. smtp_data_xfer_timeout (180s) - The SMTP client time limit for sending the SMTP + The SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) - The SMTP client time limit for sending the SMTP + The SMTP client time limit for sending the SMTP ".", and for receiving the server response. smtp_quit_timeout (300s) - The SMTP client time limit for sending the QUIT + The SMTP client time limit for sending the QUIT command, and for receiving the server response. Available in Postfix version 2.1 and later: @@ -542,12 +536,12 @@ SMTP(8) SMTP(8) lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery - request before giving up or delivering to a fall- + The maximal number of SMTP sessions per delivery + request before giving up or delivering to a fall- back relay host, or zero (no limit). smtp_rset_timeout (20s) - The SMTP client time limit for sending the RSET + The SMTP client time limit for sending the RSET command, and for receiving the server response. Available in Postfix version 2.2 and earlier: @@ -559,11 +553,11 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. @@ -573,57 +567,62 @@ SMTP(8) SMTP(8) smtp_connection_cache_time_limit (2s) When SMTP connection caching is enabled, the amount - of time that an unused SMTP client socket is kept + of time that an unused SMTP client socket is kept open before it is closed. Available in Postfix version 2.3 and later: connection_cache_protocol_timeout (5s) - Time limit for connection cache connect, send or + Time limit for connection cache connect, send or receive operations. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a - remote client or server matches a pattern in the + The increment in verbose logging level when a + remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname - or network address patterns that cause the verbose - logging level to increase by the amount specified + Optional list of remote client or server hostname + or network address patterns that cause the verbose + logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about - mail delivery problems that are caused by policy, + The recipient of postmaster notifications about + mail delivery problems that are caused by policy, resource, software or protocol errors. + internal_mail_filter_classes (empty) + What categories of Postfix-generated mail are sub- + ject to before-queue content inspection by + non_smtpd_milters, header_checks and body_checks. + notify_classes (resource, software) - The list of error classes that are reported to the + The list of error classes that are reported to the postmaster. MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal + The maximal number of digits after the decimal point when logging sub-second delay values. disable_dns_lookups (no) - Disable DNS lookups in the Postfix SMTP and LMTP + Disable DNS lookups in the Postfix SMTP and LMTP clients. inet_interfaces (all) @@ -631,7 +630,7 @@ SMTP(8) SMTP(8) tem receives mail on. inet_protocols (ipv4) - The Internet protocols Postfix will attempt to use + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) @@ -639,74 +638,74 @@ SMTP(8) SMTP(8) over an internal communication channel. lmtp_tcp_port (24) - The default TCP port that the Postfix LMTP client + The default TCP port that the Postfix LMTP client connects to. max_idle (100s) - The maximum amount of time that an idle Postfix - daemon process waits for the next service request + The maximum amount of time that an idle Postfix + daemon process waits for the next service request before exiting. max_use (100) - The maximal number of connection requests before a + The maximal number of connection requests before a Postfix daemon process terminates. process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. proxy_interfaces (empty) The network interface addresses that this mail sys- - tem receives mail on by way of a proxy or network + tem receives mail on by way of a proxy or network address translation unit. smtp_bind_address (empty) - An optional numerical network address that the SMTP - client should bind to when making an IPv4 connec- - tion. + An optional numerical network address that the + Postfix SMTP client should bind to when making an + IPv4 connection. smtp_bind_address6 (empty) - An optional numerical network address that the SMTP - client should bind to when making an IPv6 connec- - tion. + An optional numerical network address that the + Postfix SMTP client should bind to when making an + IPv6 connection. smtp_helo_name ($myhostname) - The hostname to send in the SMTP EHLO or HELO com- + The hostname to send in the SMTP EHLO or HELO com- mand. lmtp_lhlo_name ($myhostname) The hostname to send in the LMTP LHLO command. smtp_host_lookup (dns) - What mechanisms when the SMTP client uses to look - up a host's IP address. + What mechanisms when the Postfix SMTP client uses + to look up a host's IP address. smtp_randomize_addresses (yes) - Randomize the order of equal-preference MX host + Randomize the order of equal-preference MX host addresses. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (postfix) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". Available with Postfix 2.2 and earlier: fallback_relay (empty) - Optional list of relay hosts for SMTP destinations + Optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. Available with Postfix 2.3 and later: smtp_fallback_relay ($fallback_relay) - Optional list of relay hosts for SMTP destinations + Optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. SEE ALSO @@ -724,7 +723,7 @@ SMTP(8) SMTP(8) TLS_README, Postfix STARTTLS howto LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index 476b23482..0a55a893b 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -328,88 +328,89 @@ SMTPD(8) SMTPD(8) Detailed information about STARTTLS configuration may be found in the TLS_README document. - smtpd_use_tls (no) - Opportunistic TLS: announce STARTTLS support to - SMTP clients, but do not require that clients use - TLS encryption. - - smtpd_enforce_tls (no) - Mandatory TLS: announce STARTTLS support to SMTP - clients, and require that clients use TLS encryp- - tion. + smtpd_tls_security_level (empty) + The SMTP TLS security level for the Postfix SMTP + server; when a non-empty value is specified, this + overrides the obsolete parameters smtpd_use_tls and + smtpd_enforce_tls. smtpd_sasl_tls_security_options ($smtpd_sasl_secu- rity_options) - The SASL authentication security options that the - Postfix SMTP server uses for TLS encrypted SMTP + The SASL authentication security options that the + Postfix SMTP server uses for TLS encrypted SMTP sessions. smtpd_starttls_timeout (300s) - The time limit for Postfix SMTP server write and - read operations during TLS startup and shutdown + The time limit for Postfix SMTP server write and + read operations during TLS startup and shutdown handshake procedures. smtpd_tls_CAfile (empty) - The file with the certificate of the certification - authority (CA) that issued the Postfix SMTP server + The file with the certificate of the certification + authority (CA) that issued the Postfix SMTP server certificate. smtpd_tls_CAfile (empty) - The file with the certificate of the certification - authority (CA) that issued the Postfix SMTP server + The file with the certificate of the certification + authority (CA) that issued the Postfix SMTP server certificate. smtpd_tls_ask_ccert (no) - Ask a remote SMTP client for a client certificate. + Ask a remote SMTP client for a client certificate. smtpd_tls_auth_only (no) When TLS encryption is optional in the Postfix SMTP - server, do not announce or accept SASL authentica- + server, do not announce or accept SASL authentica- tion over unencrypted connections. smtpd_tls_ccert_verifydepth (5) - The verification depth for remote SMTP client cer- + The verification depth for remote SMTP client cer- tificates. smtpd_tls_cert_file (empty) - File with the Postfix SMTP server RSA certificate + File with the Postfix SMTP server RSA certificate in PEM format. - smtpd_tls_ciphers (export) - The minimum acceptable SMTP server TLS cipher - grade. - smtpd_tls_exclude_ciphers (empty) List of ciphers or cipher types to exclude from the - SMTP server cipher list. + SMTP server cipher list at all TLS security levels. smtpd_tls_dcert_file (empty) - File with the Postfix SMTP server DSA certificate + File with the Postfix SMTP server DSA certificate in PEM format. smtpd_tls_dh1024_param_file (empty) - File with DH parameters that the Postfix SMTP - server should use with EDH ciphers. - - smtpd_tls_dh512_param_file (empty) File with DH parameters that the Postfix SMTP server should use with EDH ciphers. + smtpd_tls_dh512_param_file (empty) + File with DH parameters that the Postfix SMTP + server should use with EDH ciphers. + smtpd_tls_dkey_file ($smtpd_tls_dcert_file) - File with the Postfix SMTP server DSA private key + File with the Postfix SMTP server DSA private key in PEM format. smtpd_tls_key_file ($smtpd_tls_cert_file) - File with the Postfix SMTP server RSA private key + File with the Postfix SMTP server RSA private key in PEM format. smtpd_tls_loglevel (0) - Enable additional Postfix SMTP server logging of + Enable additional Postfix SMTP server logging of TLS activity. - smtpd_tls_protocols (empty) - The list of TLS protocols supported by the Postfix - SMTP server. + smtpd_tls_mandatory_ciphers (medium) + The minimum TLS cipher grade that the Postfix SMTP + server will use with mandatory TLS encryption. + + smtpd_tls_mandatory_exclude_ciphers (empty) + Additional list of ciphers or cipher types to + exclude from the SMTP server cipher list at manda- + tory TLS security levels. + + smtpd_tls_mandatory_protocols (SSLv3, TLSv1) + The TLS protocols accepted by the Postfix SMTP + server with mandatory TLS encryption. smtpd_tls_received_header (no) Request that the Postfix SMTP server produces @@ -419,7 +420,7 @@ SMTPD(8) SMTPD(8) CommonName. smtpd_tls_req_ccert (no) - When TLS encryption is enforced, require a remote + With mandatory TLS encryption, require a remote SMTP client certificate in order to allow TLS con- nections to proceed. @@ -442,14 +443,6 @@ SMTPD(8) SMTPD(8) server in order to seed its internal pseudo random number generator (PRNG). - Available in Postfix version 2.3 and later: - - smtpd_tls_security_level (empty) - The SMTP TLS security level for the Postfix SMTP - server; when a non-empty value is specified, this - overrides the obsolete parameters smtpd_use_tls and - smtpd_enforce_tls. - tls_high_cipherlist (!EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH) The OpenSSL cipherlist for "HIGH" grade ciphers. @@ -459,7 +452,7 @@ SMTPD(8) SMTPD(8) ciphers. tls_low_cipherlist (!EXPORT:ALL:+RC4:@STRENGTH) - The OpenSSL cipherlist for "LOW" or higher grade + The OpenSSL cipherlist for "LOW" or higher grade ciphers. tls_export_cipherlist (ALL:+RC4:@STRENGTH) @@ -467,9 +460,28 @@ SMTPD(8) SMTPD(8) ciphers. tls_null_cipherlist (!aNULL:eNULL+kRSA) - The OpenSSL cipherlist for "NULL" grade ciphers + The OpenSSL cipherlist for "NULL" grade ciphers that provide authentication without encryption. +OBSOLETE STARTTLS CONTROLS + The following configuration parameters exist for compati- + bility with Postfix versions before 2.3. Support for these + will be removed in a future release. + + smtpd_use_tls (no) + Opportunistic TLS: announce STARTTLS support to + SMTP clients, but do not require that clients use + TLS encryption. + + smtpd_enforce_tls (no) + Mandatory TLS: announce STARTTLS support to SMTP + clients, and require that clients use TLS encryp- + tion. + + smtpd_tls_cipherlist (empty) + Obsolete Postfix < 2.3 control for the Postfix SMTP + server TLS cipher list. + VERP SUPPORT CONTROLS With VERP style delivery, each recipient of a message receives a customized copy of the message with his/her own @@ -522,6 +534,11 @@ SMTPD(8) SMTPD(8) mail delivery problems that are caused by policy, resource, software or protocol errors. + internal_mail_filter_classes (empty) + What categories of Postfix-generated mail are sub- + ject to before-queue content inspection by + non_smtpd_milters, header_checks and body_checks. + notify_classes (resource, software) The list of error classes that are reported to the postmaster. @@ -677,8 +694,9 @@ SMTPD(8) SMTPD(8) Available in Postfix version 2.3 and later: smtpd_peername_lookup (yes) - Attempt to look up the SMTP client hostname, and - verify that the name matches the client IP address. + Attempt to look up the Postfix SMTP client host- + name, and verify that the name matches the client + IP address. The per SMTP client connection count and request rate lim- its are implemented in co-operation with the anvil(8) ser- diff --git a/postfix/html/transport.5.html b/postfix/html/transport.5.html index 6d28a3c62..3fc1f1c04 100644 --- a/postfix/html/transport.5.html +++ b/postfix/html/transport.5.html @@ -243,7 +243,7 @@ TRANSPORT(5) TRANSPORT(5) lookups are directed to a TCP-based server. For a descrip- tion of the TCP client/server lookup protocol, see tcp_ta- ble(5). This feature is not available up to and including - Postfix version 2.2. + Postfix version 2.3. Each lookup operation uses the entire recipient address once. Thus, some.domain.hierarchy is not looked up via diff --git a/postfix/html/virtual.5.html b/postfix/html/virtual.5.html index d8dfe9898..ab0649357 100644 --- a/postfix/html/virtual.5.html +++ b/postfix/html/virtual.5.html @@ -209,7 +209,7 @@ VIRTUAL(5) VIRTUAL(5) lookups are directed to a TCP-based server. For a descrip- tion of the TCP client/server lookup protocol, see tcp_ta- ble(5). This feature is not available up to and including - Postfix version 2.2. + Postfix version 2.3. Each lookup operation uses the entire address once. Thus, user@domain mail addresses are not broken up into their diff --git a/postfix/man/man5/access.5 b/postfix/man/man5/access.5 index 668d0c2e3..ad4f084a4 100644 --- a/postfix/man/man5/access.5 +++ b/postfix/man/man5/access.5 @@ -340,7 +340,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on. This section describes how the table lookups change when lookups are directed to a TCP-based server. For a description of the TCP client/server lookup protocol, see \fBtcp_table\fR(5). -This feature is not available up to and including Postfix version 2.2. +This feature is not available up to and including Postfix version 2.3. Each lookup operation uses the entire query string once. Depending on the application, that string is an entire client diff --git a/postfix/man/man5/canonical.5 b/postfix/man/man5/canonical.5 index 5ee395108..1faefbca7 100644 --- a/postfix/man/man5/canonical.5 +++ b/postfix/man/man5/canonical.5 @@ -166,7 +166,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on. This section describes how the table lookups change when lookups are directed to a TCP-based server. For a description of the TCP client/server lookup protocol, see \fBtcp_table\fR(5). -This feature is not available up to and including Postfix version 2.2. +This feature is not available up to and including Postfix version 2.3. Each lookup operation uses the entire address once. Thus, \fIuser@domain\fR mail addresses are not broken up into their diff --git a/postfix/man/man5/generic.5 b/postfix/man/man5/generic.5 index 5aa6172d4..e0ec31a84 100644 --- a/postfix/man/man5/generic.5 +++ b/postfix/man/man5/generic.5 @@ -150,7 +150,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on. This section describes how the table lookups change when lookups are directed to a TCP-based server. For a description of the TCP client/server lookup protocol, see \fBtcp_table\fR(5). -This feature is not available up to and including Postfix version 2.2. +This feature is not available up to and including Postfix version 2.3. Each lookup operation uses the entire address once. Thus, \fIuser@domain\fR mail addresses are not broken up into their diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index f024a3df5..69f3c1824 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -559,7 +559,8 @@ $virtual_alias_domains, or $virtual_mailbox_domains. By default, the Postfix SMTP client returns such mail as undeliverable. .PP Specify, for example, "best_mx_transport = local" to pass the mail -from the SMTP client to the \fBlocal\fR(8) delivery agent. You can specify +from the Postfix SMTP client to the \fBlocal\fR(8) delivery agent. You +can specify any message delivery "transport" or "transport:nexthop" that is defined in the master.cf file. See the \fBtransport\fR(5) manual page for the syntax and meaning of "transport" or "transport:nexthop". @@ -1525,7 +1526,8 @@ for IPv6. .PP A better solution for multi-homed firewalls is to leave inet_interfaces at the default value and instead use explicit IP addresses in -the master.cf SMTP server definitions. This preserves the SMTP client's +the master.cf SMTP server definitions. This preserves the Postfix +SMTP client's loop detection, by ensuring that each side of the firewall knows that the other IP address is still the same host. Setting $inet_interfaces to a single IPv4 and/or IPV6 address is primarily useful with virtual @@ -1600,6 +1602,22 @@ and via the \fBpipe\fR(8) and \fBvirtual\fR(8) delivery agents. .PP Warning: with concurrency of 1, one bad message can be enough to block all mail to a site. +.SH internal_mail_filter_classes (default: empty) +What categories of Postfix-generated mail are subject to +before-queue content inspection by non_smtpd_milters, header_checks +and body_checks. Specify zero or more of the following, separated +by whitespace or comma. +.IP "\fB bounce \fR" +Inspect the content of delivery +status notifications. +.IP "\fB notify \fR" +Inspect the content of postmaster +notifications by the \fBsmtp\fR(8) and \fBsmtpd\fR(8) processes. +.PP +NOTE: It's generally not safe to enable content inspection of +Postfix-generated email messages. The user is warned. +.PP +This feature is available in Postfix 2.3 and later. .SH invalid_hostname_reject_code (default: 501) The numerical Postfix SMTP server response code when the client HELO or EHLO command parameter is rejected by the reject_invalid_helo_hostname @@ -2232,8 +2250,8 @@ Technically, tables listed with $local_recipient_maps are used as lists: Postfix needs to know only if a lookup string is found or not, but it does not use the result from table lookup. .PP -If this parameter is non-empty (the default), then the Postfix SMTP server -will reject mail for unknown local users. +If this parameter is non-empty (the default), then the Postfix SMTP +server will reject mail for unknown local users. .PP To turn off local recipient checking in the Postfix SMTP server, specify "local_recipient_maps =" (i.e. empty). @@ -3764,8 +3782,8 @@ With "smtp_always_send_ehlo = no", Postfix sends EHLO only when the word "ESMTP" appears in the server greeting banner (example: 220 spike.porcupine.org ESMTP Postfix). .SH smtp_bind_address (default: empty) -An optional numerical network address that the SMTP client should -bind to when making an IPv4 connection. +An optional numerical network address that the Postfix SMTP client +should bind to when making an IPv4 connection. .PP This can be specified in the main.cf file for all SMTP clients, or it can be specified in the master.cf file for a specific client, @@ -3789,8 +3807,8 @@ inet_interfaces documentation for more detail. Note 2: address information may be enclosed inside [], but this form is not recommended here. .SH smtp_bind_address6 (default: empty) -An optional numerical network address that the SMTP client should -bind to when making an IPv6 connection. +An optional numerical network address that the Postfix SMTP client +should bind to when making an IPv6 connection. .PP This feature is available in Postfix 2.2 and later. .PP @@ -3829,7 +3847,8 @@ This feature is available in Postfix 2.2.9 and later. The SMTP client time limit for completing a TCP connection, or zero (use the operating system built-in time limit). .PP -When no connection can be made within the deadline, the SMTP client +When no connection can be made within the deadline, the Postfix +SMTP client tries the next address on the mail exchanger list. Specify 0 to disable the time limit (i.e. use whatever timeout is implemented by the operating system). @@ -3951,7 +3970,7 @@ The default time unit is s (seconds). .SH smtp_data_xfer_timeout (default: 180s) The SMTP client time limit for sending the SMTP message content. When the connection makes no progress for more than $smtp_data_xfer_timeout -seconds the SMTP client terminates the transfer. +seconds the Postfix SMTP client terminates the transfer. .PP Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds). @@ -3983,7 +4002,7 @@ into concurrency per recipient. .SH smtp_discard_ehlo_keyword_address_maps (default: empty) Lookup tables, indexed by the remote SMTP server address, with case insensitive lists of EHLO keywords (pipelining, starttls, auth, -etc.) that the SMTP client will ignore in the EHLO response from a +etc.) that the Postfix SMTP client will ignore in the EHLO response from a remote SMTP server. See smtp_discard_ehlo_keywords for details. The table is not indexed by hostname for consistency with smtpd_discard_ehlo_keyword_address_maps. @@ -3991,8 +4010,8 @@ smtpd_discard_ehlo_keyword_address_maps. This feature is available in Postfix 2.2 and later. .SH smtp_discard_ehlo_keywords (default: empty) A case insensitive list of EHLO keywords (pipelining, starttls, -auth, etc.) that the SMTP client will ignore in the EHLO response -from a remote SMTP server. +auth, etc.) that the Postfix SMTP client will ignore in the EHLO +response from a remote SMTP server. .PP This feature is available in Postfix 2.2 and later. .PP @@ -4080,7 +4099,7 @@ and for receiving the initial server response. Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds). .SH smtp_host_lookup (default: dns) -What mechanisms when the SMTP client uses to look up a host's IP +What mechanisms when the Postfix SMTP client uses to look up a host's IP address. This parameter is ignored when DNS lookups are disabled. .PP Specify one of the following: @@ -4200,9 +4219,10 @@ smtp_sasl_auth_enable = yes .ad .ft R .SH smtp_sasl_auth_enforce (default: yes) -Defer mail delivery when an SMTP server does not support SASL -authentication, while smtp_sasl_password_maps contains SASL -login/password information for that server. +If sender-dependent SASL passwords are turned off, defer mail +delivery when an SMTP server does not support SASL authentication, +while smtp_sasl_password_maps contains SASL login/password information +for that server. .PP This feature is available in Postfix 2.3 and later. .SH smtp_sasl_mechanism_filter (default: empty) @@ -4295,8 +4315,8 @@ for authentication. The available types are listed with the .PP This feature is available in Postfix 2.3 and later. .SH smtp_send_xforward_command (default: no) -Send the non-standard XFORWARD command when the Postfix SMTP server EHLO -response announces XFORWARD support. +Send the non-standard XFORWARD command when the Postfix SMTP server +EHLO response announces XFORWARD support. .PP This allows an "smtp" delivery agent, used for injecting mail into a content filter, to forward the name, address, protocol and HELO @@ -4306,7 +4326,7 @@ localhost[127.0.0.1] etc. .PP This feature is available in Postfix 2.1 and later. .SH smtp_sender_dependent_authentication (default: no) -Enable sender-dependent authentication in the SMTP client; this is +Enable sender-dependent authentication in the Postfix SMTP client; this is available only with SASL authentication, and disables SMTP connection caching to ensure that mail from different senders will use the appropriate credentials. @@ -4435,7 +4455,7 @@ smtp_tls_cert_file = /etc/postfix/client.pem This feature is available in Postfix 2.2 and later. .SH smtp_tls_cipherlist (default: empty) Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS -cipher list. As this feature applies to all security levels, it is easy +cipher list. As this feature applies to all TLS security levels, it is easy to create inter-operability problems by choosing a non-default cipher list. Do not use a non-default TLS cipher list on hosts that deliver email to the public Internet: you will be unable to send email to servers that @@ -4474,7 +4494,7 @@ specified with $smtp_tls_cert_file. .PP This feature is available in Postfix 2.2 and later. .SH smtp_tls_enforce_peername (default: yes) -When TLS encryption is enforced, require that the remote SMTP +With mandatory TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP server certificate. As of RFC 2487 the requirements for hostname checking for MTA clients are not specified. @@ -4491,8 +4511,9 @@ CommonName of this attacker will be logged). This feature is available in Postfix 2.2 and later. With Postfix 2.3 and later use smtp_tls_security_level instead. .SH smtp_tls_exclude_ciphers (default: empty) -List of ciphers or cipher types to exclude from the SMTP client cipher -list at all security levels. This is not an OpenSSL cipherlist, it is +List of ciphers or cipher types to exclude from the Postfix +SMTP client cipher +list at all TLS security levels. This is not an OpenSSL cipherlist, it is a simple list separated by whitespace and/or commas. The elements are a single cipher, or one or more "+" separated cipher properties, in which case only ciphers matching \fBall\fR the properties are excluded. @@ -4560,12 +4581,13 @@ loglevel 4 is strongly discouraged. .PP This feature is available in Postfix 2.2 and later. .SH smtp_tls_mandatory_ciphers (default: medium) -The minimum SMTP client TLS cipher grade that is strong enough to -be used with the "encrypt" security level and higher. The default -value "medium" is suitable for most destinations with which you may -want to enforce TLS, and is beyond the reach of today's crypt-analytic -methods. See smtp_tls_policy_maps for information on how to configure -ciphers on a per-destination basis. +The minimum TLS cipher grade that the Postfix SMTP client will +use with +mandatory TLS encryption. The default value "medium" is suitable +for most destinations with which you may want to enforce TLS, and +is beyond the reach of today's crypt-analytic methods. See +smtp_tls_policy_maps for information on how to configure ciphers +on a per-destination basis. .PP The following cipher grades are supported: .IP "\fBexport\fR" @@ -4621,16 +4643,15 @@ encryption or authentication). .PP This feature is available in Postfix 2.3 and later. .SH smtp_tls_mandatory_exclude_ciphers (default: empty) -List of ciphers or cipher types to exclude from the SMTP client -cipher list at the mandatory TLS security levels: "encrypt", "verify" -and "secure". See smtp_tls_exclude_ciphers for syntax details. When -both "exclude" parameters are defined, the combined list of ciphers is -excluded (provided the TLS security level is "encrypt" or higher). +Additional list of ciphers or cipher types to exclude from the +SMTP client cipher list at mandatory TLS security levels. This list +works in addition to the exclusions listed with smtp_tls_exclude_ciphers +(see there for syntax details). .PP This feature is available in Postfix 2.3 and later. .SH smtp_tls_mandatory_protocols (default: SSLv3, TLSv1) -List of TLS protocol versions that are secure enough to be used -with the "encrypt" security level and higher. In main.cf the values +List of TLS protocols that the Postfix SMTP client will use +with mandatory TLS encryption. In main.cf the values are separated by whitespace, commas or colons. In the policy table (see smtp_tls_policy_maps) the only valid separator is colon. An empty value means allow all protocols. The valid protocol names, @@ -5810,7 +5831,7 @@ This list overrides any commands built into the Postfix SMTP server. The lookup key to be used in SMTP \fBaccess\fR(5) tables instead of the null sender address. .SH smtpd_peername_lookup (default: yes) -Attempt to look up the SMTP client hostname, and verify that +Attempt to look up the Postfix SMTP client hostname, and verify that the name matches the client IP address. A client name is set to "unknown" when it cannot be looked up or verified, or when name lookup is disabled. Turning off name lookup reduces delays due to @@ -6530,67 +6551,7 @@ clients. \fBNote:\fR do not use "" quotes around the parameter value. .PP This feature is available with Postfix version 2.2. It is not used with -Postfix 2.3 and later; use smtpd_tls_ciphers instead. -.SH smtpd_tls_ciphers (default: export) -The minimum acceptable SMTP server TLS cipher grade. It is easy to -create inter-operability problems by choosing a non-default cipher grade. -Do not use a stronger than default minimum cipher grade for MX hosts on -the public Internet. Clients that begin the TLS handshake, but are unable -to agree on a common cipher, may not be able to send any email to the -SMTP server. Using a restricted cipher list may be more appropriate for a -dedicated MSA or an internal mailhub, where one can exert some control over -the TLS software and settings of the connecting clients. Configurations -with no certificates are also not likely to inter-operate with most -clients, see the notes for "smtpd_tls_cert_file". -.PP -The following cipher grades are supported: -.IP "\fBexport\fR" -Enable the mainstream "EXPORT" grade or better OpenSSL ciphers. -This is the most appropriate setting for public MX hosts. The underlying -cipherlist is specified via the tls_export_cipherlist configuration -parameter, which you are strongly encouraged to not change. The default -value of tls_export_cipherlist includes anonymous ciphers, but these -are automatically filtered out if the server is configured to ask for -client certificates. If you must always exclude anonymous ciphers, -set "smtpd_tls_exclude_ciphers = aNULL". -.IP "\fBlow\fR" -Enable the mainstream "LOW" grade or better OpenSSL ciphers. This -setting is only appropriate for internal mail servers. The underlying -cipherlist is specified via the tls_low_cipherlist configuration -parameter, which you are strongly encouraged to not change. The default -value of tls_low_cipherlist includes anonymous ciphers, but these -are automatically filtered out if the server is configured to ask for -client certificates. If you must always exclude anonymous ciphers, -set "smtpd_tls_exclude_ciphers = aNULL". -.IP "\fBmedium\fR" -Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. This -setting is only appropriate for internal mail servers. The underlying -cipherlist is specified via the tls_medium_cipherlist configuration -parameter, which you are strongly encouraged to not change. The default -value of tls_medium_cipherlist includes anonymous ciphers, but these -are automatically filtered out if the server is configured to ask for -client certificates. If you must always exclude anonymous ciphers, -set "smtpd_tls_exclude_ciphers = aNULL". -.IP "\fBhigh\fR" -Enable only the mainstream "HIGH" grade OpenSSL ciphers. This -setting is only appropriate for internal mail servers. The underlying -cipherlist is specified via the tls_high_cipherlist configuration -parameter, which you are strongly encouraged to not change. The default -value of tls_high_cipherlist includes anonymous ciphers, but these -are automatically filtered out if the server is configured to ask for -client certificates. If you must always exclude anonymous ciphers, set -"smtpd_tls_exclude_ciphers = aNULL". -.IP "\fBnull\fR" -Enable only the "NULL" OpenSSL ciphers, these provide authentication -without encryption. This setting is only appropriate in the rare -case that all clients are prepared to use NULL ciphers (not normally -enabled in TLS clients). The underlying cipherlist is specified via the -tls_null_cipherlist configuration parameter, which you are strongly -encouraged to not change. The default value of tls_null_cipherlist -excludes anonymous ciphers (OpenSSL 0.9.8 has NULL ciphers that offer -data integrity without encryption or authentication). -.PP -This feature is available in Postfix 2.3 and later. +Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead. .SH smtpd_tls_dcert_file (default: empty) File with the Postfix SMTP server DSA certificate in PEM format. This file may also contain the server private key. @@ -6626,7 +6587,7 @@ openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024 .PP Your actual source for entropy may differ. Some systems have /dev/random; on other system you may consider using the "Entropy -Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/. +Gathering Daemon EGD", available at http://egd.sourceforge.net/ .PP Example: .PP @@ -6668,10 +6629,12 @@ must be accessible without password. This feature is available in Postfix 2.2 and later. .SH smtpd_tls_exclude_ciphers (default: empty) List of ciphers or cipher types to exclude from the SMTP server -cipher list. This is not an OpenSSL cipherlist; it is a simple list -separated by whitespace and/or commas. The elements are a single -cipher, or one or more "+" separated cipher properties, in which -case only ciphers matching \fBall\fR the properties are excluded. +cipher list at all TLS security levels. Excluding valid ciphers +can create interoperability problems. DO NOT exclude ciphers unless it +is essential to do so. This is not an OpenSSL cipherlist; it is a simple +list separated by whitespace and/or commas. The elements are a single +cipher, or one or more "+" separated cipher properties, in which case +only ciphers matching \fBall\fR the properties are excluded. .PP Examples (some of these will cause problems): .PP @@ -6723,23 +6686,95 @@ Use "smtpd_tls_loglevel = 3" only in case of problems. Use of loglevel 4 is strongly discouraged. .PP This feature is available in Postfix 2.2 and later. -.SH smtpd_tls_protocols (default: empty) -The list of TLS protocols supported by the Postfix SMTP server. -If the list is empty, the server supports all available TLS protocol -versions. A non-empty value is a list of protocol names separated -by whitespace, commas or colons. The supported protocol names are -"SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. +.SH smtpd_tls_mandatory_ciphers (default: medium) +The minimum TLS cipher grade that the Postfix SMTP server will +use with mandatory +TLS encryption. Cipher types listed in smtpd_tls_mandatory_exclude_ciphers +or smtpd_tls_exclude_ciphers are excluded from the base definition +of the selected cipher grade. With opportunistic TLS encryption, +the "export" grade is used unconditionally with exclusions specified +only via smtpd_tls_exclude_ciphers. .PP -DO NOT set this to a non-default value on an Internet MX host, -as this may cause inter-operability problems. If you restrict the -protocol list on an Internet MX host, you may lose mail. +The following cipher grades are supported: +.IP "\fBexport\fR" +Enable the mainstream "EXPORT" grade or better OpenSSL ciphers. +This is the most appropriate setting for public MX hosts, and is always +used with opportunistic TLS encryption. The underlying cipherlist +is specified via the tls_export_cipherlist configuration parameter, +which you are strongly encouraged to not change. The default value +of tls_export_cipherlist includes anonymous ciphers, but these are +automatically filtered out if the server is configured to ask for +client certificates. If you must always exclude anonymous ciphers, +set "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers +only when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers = +aNULL". +.IP "\fBlow\fR" +Enable the mainstream "LOW" grade or better OpenSSL ciphers. The +underlying cipherlist is specified via the tls_low_cipherlist +configuration parameter, which you are strongly encouraged to +not change. The default value of tls_low_cipherlist includes +anonymous ciphers, but these are automatically filtered out if the +server is configured to ask for client certificates. If you must +always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers = +aNULL". To exclude anonymous ciphers only when TLS is enforced, set +"smtpd_tls_mandatory_exclude_ciphers = aNULL". +.IP "\fBmedium\fR" +Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. These +are essentially the 128-bit or stronger ciphers. This is the default +minimum strength for mandatory TLS encryption. MSAs that enforce +TLS and have clients that do not support any "MEDIUM" or "HIGH" +grade ciphers, may need to configure a weaker ("low" or "export") +minimum cipher grade. The underlying cipherlist is specified via the +tls_medium_cipherlist configuration parameter, which you are strongly +encouraged to not change. The default value of tls_medium_cipherlist +includes anonymous ciphers, but these are automatically filtered out if +the server is configured to ask for client certificates. If you must +always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers = +aNULL". To exclude anonymous ciphers only when TLS is enforced, set +"smtpd_tls_mandatory_exclude_ciphers = aNULL". +.IP "\fBhigh\fR" +Enable only the mainstream "HIGH" grade OpenSSL ciphers. The +underlying cipherlist is specified via the tls_high_cipherlist +configuration parameter, which you are strongly encouraged to +not change. The default value of tls_high_cipherlist includes +anonymous ciphers, but these are automatically filtered out if the +server is configured to ask for client certificates. If you must +always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers = +aNULL". To exclude anonymous ciphers only when TLS is enforced, set +"smtpd_tls_mandatory_exclude_ciphers = aNULL". +.IP "\fBnull\fR" +Enable only the "NULL" OpenSSL ciphers, these provide authentication +without encryption. This setting is only appropriate in the rare +case that all clients are prepared to use NULL ciphers (not normally +enabled in TLS clients). The underlying cipherlist is specified via the +tls_null_cipherlist configuration parameter, which you are strongly +encouraged to not change. The default value of tls_null_cipherlist +excludes anonymous ciphers (OpenSSL 0.9.8 has NULL ciphers that offer +data integrity without encryption or authentication). +.PP +This feature is available in Postfix 2.3 and later. +.SH smtpd_tls_mandatory_exclude_ciphers (default: empty) +Additional list of ciphers or cipher types to exclude from the +SMTP server cipher list at mandatory TLS security levels. This list +works in addition to the exclusions listed with smtpd_tls_exclude_ciphers +(see there for syntax details). +.PP +This feature is available in Postfix 2.3 and later. +.SH smtpd_tls_mandatory_protocols (default: SSLv3, TLSv1) +The TLS protocols accepted by the Postfix SMTP server with +mandatory TLS encryption. With opportunistic TLS encryption, all +protocols are always accepted. If the list is empty, the server +supports all available TLS protocol versions. A non-empty value +is a list of protocol names separated by whitespace, commas or +colons. The supported protocol names are "SSLv2", "SSLv3" and +"TLSv1", and are not case sensitive. .PP Example: .PP .nf .na .ft C -smtpd_tls_protocols = SSLv3, TLSv1 +smtpd_tls_mandatory_protocols = SSLv3, TLSv1 .fi .ad .ft R @@ -6755,7 +6790,7 @@ that was recorded by the final destination can be trusted. .PP This feature is available in Postfix 2.2 and later. .SH smtpd_tls_req_ccert (default: no) -When TLS encryption is enforced, require a remote SMTP client +With mandatory TLS encryption, require a remote SMTP client certificate in order to allow TLS connections to proceed. This option implies "smtpd_tls_ask_ccert = yes". .PP @@ -6794,6 +6829,8 @@ encrypt" implies "smtpd_tls_auth_only = yes". Note 3: when invoked via "sendmail -bs", Postfix will never offer STARTTLS due to insufficient privileges to access the server private key. This is intended behavior. +.PP +This feature is available in Postfix 2.3 and later. .SH smtpd_tls_session_cache_database (default: empty) Name of the file containing the optional Postfix SMTP server TLS session cache. Specify a database type that supports enumeration, @@ -6977,7 +7014,7 @@ bytes (equivalent to 256 bits) is sufficient to generate a 128bit This feature is available in Postfix 2.2 and later. .SH tls_export_cipherlist (default: ALL:+RC4:@STRENGTH) The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This -defines the meaning of the "export" setting in smtpd_tls_ciphers, +defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are @@ -6986,21 +7023,21 @@ strongly encouraged to not change this setting. This feature is available in Postfix 2.3 and later. .SH tls_high_cipherlist (default: !EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH) The OpenSSL cipherlist for "HIGH" grade ciphers. This defines -the meaning of the "high" setting in smtpd_tls_ciphers, +the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change this setting. .PP This feature is available in Postfix 2.3 and later. .SH tls_low_cipherlist (default: !EXPORT:ALL:+RC4:@STRENGTH) The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines -the meaning of the "low" setting in smtpd_tls_ciphers, +the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change this setting. .PP This feature is available in Postfix 2.3 and later. .SH tls_medium_cipherlist (default: !EXPORT:!LOW:ALL:+RC4:@STRENGTH) The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This -defines the meaning of the "medium" setting in smtpd_tls_ciphers, +defines the meaning of the "medium" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server @@ -7011,7 +7048,7 @@ This feature is available in Postfix 2.3 and later. .SH tls_null_cipherlist (default: !aNULL:eNULL+kRSA) The OpenSSL cipherlist for "NULL" grade ciphers that provide authentication without encryption. This defines the meaning of the "null" -setting in smtpd_tls_ciphers, smtp_tls_mandatory_ciphers and +setting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change this setting. .PP diff --git a/postfix/man/man5/relocated.5 b/postfix/man/man5/relocated.5 index 67f42ad1c..e1d65a2d6 100644 --- a/postfix/man/man5/relocated.5 +++ b/postfix/man/man5/relocated.5 @@ -98,7 +98,7 @@ directed to a TCP-based server. For a description of regular expression lookup table syntax, see \fBregexp_table\fR(5) or \fBpcre_table\fR(5). For a description of the TCP client/server table lookup protocol, see \fBtcp_table\fR(5). -This feature is not available up to and including Postfix version 2.2. +This feature is not available up to and including Postfix version 2.3. Each pattern is a regular expression that is applied to the entire address being looked up. Thus, \fIuser@domain\fR mail addresses are not @@ -119,7 +119,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on. This section describes how the table lookups change when lookups are directed to a TCP-based server. For a description of the TCP client/server lookup protocol, see \fBtcp_table\fR(5). -This feature is not available up to and including Postfix version 2.2. +This feature is not available up to and including Postfix version 2.3. Each lookup operation uses the entire address once. Thus, \fIuser@domain\fR mail addresses are not broken up into their diff --git a/postfix/man/man5/transport.5 b/postfix/man/man5/transport.5 index e9a286495..e37cfe151 100644 --- a/postfix/man/man5/transport.5 +++ b/postfix/man/man5/transport.5 @@ -249,7 +249,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on. This section describes how the table lookups change when lookups are directed to a TCP-based server. For a description of the TCP client/server lookup protocol, see \fBtcp_table\fR(5). -This feature is not available up to and including Postfix version 2.2. +This feature is not available up to and including Postfix version 2.3. Each lookup operation uses the entire recipient address once. Thus, \fIsome.domain.hierarchy\fR is not looked up via its parent domains, diff --git a/postfix/man/man5/virtual.5 b/postfix/man/man5/virtual.5 index 804ae9d62..0ea07d0af 100644 --- a/postfix/man/man5/virtual.5 +++ b/postfix/man/man5/virtual.5 @@ -221,7 +221,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on. This section describes how the table lookups change when lookups are directed to a TCP-based server. For a description of the TCP client/server lookup protocol, see \fBtcp_table\fR(5). -This feature is not available up to and including Postfix version 2.2. +This feature is not available up to and including Postfix version 2.3. Each lookup operation uses the entire address once. Thus, \fIuser@domain\fR mail addresses are not broken up into their diff --git a/postfix/man/man8/bounce.8 b/postfix/man/man8/bounce.8 index ab5e86583..0e100933b 100644 --- a/postfix/man/man8/bounce.8 +++ b/postfix/man/man8/bounce.8 @@ -95,6 +95,10 @@ file or \fBbounce\fR(8) logfile. .IP "\fBipc_timeout (3600s)\fR" The time limit for sending or receiving information over an internal communication channel. +.IP "\fBinternal_mail_filter_classes (empty)\fR" +What categories of Postfix-generated mail are subject to +before-queue content inspection by non_smtpd_milters, header_checks +and body_checks. .IP "\fBmail_name (Postfix)\fR" The mail system name that is displayed in Received: headers, in the SMTP greeting banner, and in bounced mail. diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index cdb5fb019..942f20c76 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -192,12 +192,12 @@ Available in Postfix version 2.2 and later: .IP "\fBsmtp_discard_ehlo_keyword_address_maps (empty)\fR" Lookup tables, indexed by the remote SMTP server address, with case insensitive lists of EHLO keywords (pipelining, starttls, auth, -etc.) that the SMTP client will ignore in the EHLO response from a +etc.) that the Postfix SMTP client will ignore in the EHLO response from a remote SMTP server. .IP "\fBsmtp_discard_ehlo_keywords (empty)\fR" A case insensitive list of EHLO keywords (pipelining, starttls, -auth, etc.) that the SMTP client will ignore in the EHLO response -from a remote SMTP server. +auth, etc.) that the Postfix SMTP client will ignore in the EHLO +response from a remote SMTP server. .IP "\fBsmtp_generic_maps (empty)\fR" Optional lookup tables that perform address rewriting in the SMTP client, typically to transform a locally valid address into @@ -238,8 +238,8 @@ The maximal recursion level that the MIME processor will handle. .fi Available in Postfix version 2.1 and later: .IP "\fBsmtp_send_xforward_command (no)\fR" -Send the non-standard XFORWARD command when the Postfix SMTP server EHLO -response announces XFORWARD support. +Send the non-standard XFORWARD command when the Postfix SMTP server +EHLO response announces XFORWARD support. .SH "SASL AUTHENTICATION CONTROLS" .na .nf @@ -263,11 +263,12 @@ server's list of offered SASL mechanisms. .PP Available in Postfix version 2.3 and later: .IP "\fBsmtp_sasl_auth_enforce (yes)\fR" -Defer mail delivery when an SMTP server does not support SASL -authentication, while smtp_sasl_password_maps contains SASL -login/password information for that server. +If sender-dependent SASL passwords are turned off, defer mail +delivery when an SMTP server does not support SASL authentication, +while smtp_sasl_password_maps contains SASL login/password information +for that server. .IP "\fBsmtp_sender_dependent_authentication (no)\fR" -Enable sender-dependent authentication in the SMTP client; this is +Enable sender-dependent authentication in the Postfix SMTP client; this is available only with SASL authentication, and disables SMTP connection caching to ensure that mail from different senders will use the appropriate credentials. @@ -305,15 +306,16 @@ certificate. .IP "\fBsmtp_tls_cert_file (empty)\fR" File with the Postfix SMTP client RSA certificate in PEM format. .IP "\fBsmtp_tls_mandatory_ciphers (medium)\fR" -The minimum SMTP client TLS cipher grade that is strong enough to -be used with the "encrypt" security level and higher. +The minimum TLS cipher grade that the Postfix SMTP client will +use with +mandatory TLS encryption. .IP "\fBsmtp_tls_exclude_ciphers (empty)\fR" -List of ciphers or cipher types to exclude from the SMTP client cipher -list at all security levels. +List of ciphers or cipher types to exclude from the Postfix +SMTP client cipher +list at all TLS security levels. .IP "\fBsmtp_tls_mandatory_exclude_ciphers (empty)\fR" -List of ciphers or cipher types to exclude from the SMTP client -cipher list at the mandatory TLS security levels: "encrypt", "verify" -and "secure". +Additional list of ciphers or cipher types to exclude from the +SMTP client cipher list at mandatory TLS security levels. .IP "\fBsmtp_tls_dcert_file (empty)\fR" File with the Postfix SMTP client DSA certificate in PEM format. .IP "\fBsmtp_tls_dkey_file ($smtp_tls_dcert_file)\fR" @@ -325,13 +327,6 @@ Enable additional Postfix SMTP client logging of TLS activity. .IP "\fBsmtp_tls_note_starttls_offer (no)\fR" Log the hostname of a remote SMTP server that offers STARTTLS, when TLS is not already enabled for that server. -.IP "\fBsmtp_tls_policy_maps (empty)\fR" -Optional lookup tables with the Postfix SMTP client TLS security -policy by next-hop destination; when a non-empty value is specified, -this overrides the obsolete smtp_tls_per_site parameter. -.IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR" -List of TLS protocol versions that are secure enough to be used -with the "encrypt" security level and higher. .IP "\fBsmtp_tls_scert_verifydepth (5)\fR" The verification depth for remote SMTP server certificates. .IP "\fBsmtp_tls_secure_cert_match (nexthop, dot-nexthop)\fR" @@ -382,12 +377,15 @@ STARTTLS support, otherwise send the mail in the clear. Enforcement mode: require that remote SMTP servers use TLS encryption, and never send mail in the clear. .IP "\fBsmtp_tls_enforce_peername (yes)\fR" -When TLS encryption is enforced, require that the remote SMTP +With mandatory TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP server certificate. .IP "\fBsmtp_tls_per_site (empty)\fR" Optional lookup tables with the Postfix SMTP client TLS usage policy by next-hop destination and by remote SMTP server hostname. +.IP "\fBsmtp_tls_cipherlist (empty)\fR" +Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS +cipher list. .SH "RESOURCE AND RATE CONTROLS" .na .nf @@ -480,6 +478,10 @@ by the amount specified in $debug_peer_level. The recipient of postmaster notifications about mail delivery problems that are caused by policy, resource, software or protocol errors. +.IP "\fBinternal_mail_filter_classes (empty)\fR" +What categories of Postfix-generated mail are subject to +before-queue content inspection by non_smtpd_milters, header_checks +and body_checks. .IP "\fBnotify_classes (resource, software)\fR" The list of error classes that are reported to the postmaster. .SH "MISCELLANEOUS CONTROLS" @@ -526,17 +528,17 @@ The process name of a Postfix command or daemon process. The network interface addresses that this mail system receives mail on by way of a proxy or network address translation unit. .IP "\fBsmtp_bind_address (empty)\fR" -An optional numerical network address that the SMTP client should -bind to when making an IPv4 connection. +An optional numerical network address that the Postfix SMTP client +should bind to when making an IPv4 connection. .IP "\fBsmtp_bind_address6 (empty)\fR" -An optional numerical network address that the SMTP client should -bind to when making an IPv6 connection. +An optional numerical network address that the Postfix SMTP client +should bind to when making an IPv6 connection. .IP "\fBsmtp_helo_name ($myhostname)\fR" The hostname to send in the SMTP EHLO or HELO command. .IP "\fBlmtp_lhlo_name ($myhostname)\fR" The hostname to send in the LMTP LHLO command. .IP "\fBsmtp_host_lookup (dns)\fR" -What mechanisms when the SMTP client uses to look up a host's IP +What mechanisms when the Postfix SMTP client uses to look up a host's IP address. .IP "\fBsmtp_randomize_addresses (yes)\fR" Randomize the order of equal-preference MX host addresses. diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index 75f17799c..53ea25205 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -294,12 +294,10 @@ for authentication. .fi Detailed information about STARTTLS configuration may be found in the TLS_README document. -.IP "\fBsmtpd_use_tls (no)\fR" -Opportunistic TLS: announce STARTTLS support to SMTP clients, -but do not require that clients use TLS encryption. -.IP "\fBsmtpd_enforce_tls (no)\fR" -Mandatory TLS: announce STARTTLS support to SMTP clients, -and require that clients use TLS encryption. +.IP "\fBsmtpd_tls_security_level (empty)\fR" +The SMTP TLS security level for the Postfix SMTP server; when +a non-empty value is specified, this overrides the obsolete parameters +smtpd_use_tls and smtpd_enforce_tls. .IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR" The SASL authentication security options that the Postfix SMTP server uses for TLS encrypted SMTP sessions. @@ -322,11 +320,9 @@ connections. The verification depth for remote SMTP client certificates. .IP "\fBsmtpd_tls_cert_file (empty)\fR" File with the Postfix SMTP server RSA certificate in PEM format. -.IP "\fBsmtpd_tls_ciphers (export)\fR" -The minimum acceptable SMTP server TLS cipher grade. .IP "\fBsmtpd_tls_exclude_ciphers (empty)\fR" List of ciphers or cipher types to exclude from the SMTP server -cipher list. +cipher list at all TLS security levels. .IP "\fBsmtpd_tls_dcert_file (empty)\fR" File with the Postfix SMTP server DSA certificate in PEM format. .IP "\fBsmtpd_tls_dh1024_param_file (empty)\fR" @@ -341,15 +337,23 @@ File with the Postfix SMTP server DSA private key in PEM format. File with the Postfix SMTP server RSA private key in PEM format. .IP "\fBsmtpd_tls_loglevel (0)\fR" Enable additional Postfix SMTP server logging of TLS activity. -.IP "\fBsmtpd_tls_protocols (empty)\fR" -The list of TLS protocols supported by the Postfix SMTP server. +.IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR" +The minimum TLS cipher grade that the Postfix SMTP server will +use with mandatory +TLS encryption. +.IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR" +Additional list of ciphers or cipher types to exclude from the +SMTP server cipher list at mandatory TLS security levels. +.IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR" +The TLS protocols accepted by the Postfix SMTP server with +mandatory TLS encryption. .IP "\fBsmtpd_tls_received_header (no)\fR" Request that the Postfix SMTP server produces Received: message headers that include information about the protocol and cipher used, as well as the client CommonName and client certificate issuer CommonName. .IP "\fBsmtpd_tls_req_ccert (no)\fR" -When TLS encryption is enforced, require a remote SMTP client +With mandatory TLS encryption, require a remote SMTP client certificate in order to allow TLS connections to proceed. .IP "\fBsmtpd_tls_session_cache_database (empty)\fR" Name of the file containing the optional Postfix SMTP server @@ -364,12 +368,6 @@ instead of using the STARTTLS command. The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8) process requests from the \fBtlsmgr\fR(8) server in order to seed its internal pseudo random number generator (PRNG). -.PP -Available in Postfix version 2.3 and later: -.IP "\fBsmtpd_tls_security_level (empty)\fR" -The SMTP TLS security level for the Postfix SMTP server; when -a non-empty value is specified, this overrides the obsolete parameters -smtpd_use_tls and smtpd_enforce_tls. .IP "\fBtls_high_cipherlist (!EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH)\fR" The OpenSSL cipherlist for "HIGH" grade ciphers. .IP "\fBtls_medium_cipherlist (!EXPORT:!LOW:ALL:+RC4:@STRENGTH)\fR" @@ -381,6 +379,23 @@ The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. .IP "\fBtls_null_cipherlist (!aNULL:eNULL+kRSA)\fR" The OpenSSL cipherlist for "NULL" grade ciphers that provide authentication without encryption. +.SH "OBSOLETE STARTTLS CONTROLS" +.na +.nf +.ad +.fi +The following configuration parameters exist for compatibility +with Postfix versions before 2.3. Support for these will +be removed in a future release. +.IP "\fBsmtpd_use_tls (no)\fR" +Opportunistic TLS: announce STARTTLS support to SMTP clients, +but do not require that clients use TLS encryption. +.IP "\fBsmtpd_enforce_tls (no)\fR" +Mandatory TLS: announce STARTTLS support to SMTP clients, +and require that clients use TLS encryption. +.IP "\fBsmtpd_tls_cipherlist (empty)\fR" +Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS +cipher list. .SH "VERP SUPPORT CONTROLS" .na .nf @@ -427,6 +442,10 @@ by the amount specified in $debug_peer_level. The recipient of postmaster notifications about mail delivery problems that are caused by policy, resource, software or protocol errors. +.IP "\fBinternal_mail_filter_classes (empty)\fR" +What categories of Postfix-generated mail are subject to +before-queue content inspection by non_smtpd_milters, header_checks +and body_checks. .IP "\fBnotify_classes (resource, software)\fR" The list of error classes that are reported to the postmaster. .IP "\fBsoft_bounce (no)\fR" @@ -543,7 +562,7 @@ before it is flushed upon receipt of EHLO, RSET, or end of DATA. .PP Available in Postfix version 2.3 and later: .IP "\fBsmtpd_peername_lookup (yes)\fR" -Attempt to look up the SMTP client hostname, and verify that +Attempt to look up the Postfix SMTP client hostname, and verify that the name matches the client IP address. .PP The per SMTP client connection count and request rate limits are diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index cebb2798b..57e3c8a43 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -182,6 +182,7 @@ while (<>) { s;\bhopcount_limit\b;$&;g; s;\bhtml_direc[-]*\n*[ ]*tory\b;$&;g; s;\bignore_mx_lookup_error\b;$&;g; + s;\binternal_mail_filter_classes\b;$&;g; s;\bimport_environment\b;$&;g; s;\bin_flow_delay\b;$&;g; s;\binet_inter[-]*\n*[ ]*faces\b;$&;g; @@ -531,6 +532,7 @@ while (<>) { s;\bsmtp_tls_CApath\b;$&;g; s;\bsmtp_tls_cert_file\b;$&;g; s;\bsmtp_tls_mandatory_ciphers\b;$&;g; + s;\bsmtp_tls_cipherlist\b;$&;g; s;\bsmtp_tls_exclude_ciphers\b;$&;g; s;\bsmtp_tls_mandatory_exclude_ciphers\b;$&;g; s;\bsmtp_tls_dcert_file\b;$&;g; @@ -559,8 +561,10 @@ while (<>) { s;\bsmtpd_tls_auth_only\b;$&;g; s;\bsmtpd_tls_ccert_verifydepth\b;$&;g; s;\bsmtpd_tls_cert_file\b;$&;g; - s;\bsmtpd_tls_ciphers\b;$&;g; + s;\bsmtpd_tls_cipherlist\b;$&;g; s;\bsmtpd_tls_exclude_ciphers\b;$&;g; + s;\bsmtpd_tls_mandatory_ciphers\b;$&;g; + s;\bsmtpd_tls_mandatory_exclude_ciphers\b;$&;g; s;\bsmtpd_tls_dcert_file\b;$&;g; s;\bsmtpd_tls_dh1024_param_file\b;$&;g; s;\bsmtpd_tls_dh512_param_file\b;$&;g; @@ -568,7 +572,7 @@ while (<>) { s;\bsmtpd_tls_key_file\b;$&;g; s;\bsmtpd_tls_security_level\b;$&;g; s;\bsmtpd_tls_loglevel\b;$&;g; - s;\bsmtpd_tls_protocols\b;$&;g; + s;\bsmtpd_tls_mandatory_protocols\b;$&;g; s;\bsmtpd_tls_received_header\b;$&;g; s;\bsmtpd_tls_req_ccert\b;$&;g; s;\bsmtpd_tls_session_cache_database\b;$&;g; diff --git a/postfix/proto/ADDRESS_VERIFICATION_README.html b/postfix/proto/ADDRESS_VERIFICATION_README.html index beb6c87bf..1d66b4fe9 100644 --- a/postfix/proto/ADDRESS_VERIFICATION_README.html +++ b/postfix/proto/ADDRESS_VERIFICATION_README.html @@ -230,6 +230,10 @@ and there are no surprises. If a recipient probe fails, then Postfix rejects mail for the recipient address. If a recipient probe succeeds, then Postfix accepts mail for the recipient address.

    +

    By default, address verification results are not saved. To avoid +probing the same address repeatedly, you can store the result in a +persistent database as described later.

    + 
     /etc/postfix/main.cf:
diff --git a/postfix/proto/FILTER_README.html b/postfix/proto/FILTER_README.html
index 7161a05f6..fb7679144 100644
--- a/postfix/proto/FILTER_README.html
+++ b/postfix/proto/FILTER_README.html
@@ -615,6 +615,7 @@ how one would set up the service in the Postfix master.cf file:
     # =============================================================
     scan      unix  -       -       n       -       10      smtp
         -o smtp_send_xforward_command=yes
+        -o disable_mime_output_conversion=yes
    @@ -633,6 +634,13 @@ after-filter smtpd process, so that filtered mail is logged with the real client name IP address. See smtp(8) and XFORWARD_README for more information.

    +

  • With "-o disable_mime_output_conversion=yes", the scan +delivery agent will not convert 8BITMIME mail to quoted-printable +form while delivering to the content filter, as that would invalidate +domainkeys and other digital signatures. This workaround is needed +because some SMTP-based content filters don't announce 8BITMIME +support, even though they can handle it just fine.

    +

    Advanced content filter: running the content filter

    diff --git a/postfix/proto/MILTER_README.html b/postfix/proto/MILTER_README.html index acd6dddfd..8e56061f2 100644 --- a/postfix/proto/MILTER_README.html +++ b/postfix/proto/MILTER_README.html @@ -32,13 +32,14 @@ href="http://sourceforge.net/projects/sid-milter/">SenderID+SPF and Domain keys) or to digitally sign mail (example: Domain keys). -Having yet another MTA-specific version of all that software is a -poor use of human and system resources.

    +Having yet another Postfix-specific version of all that software +is a poor use of human and system resources.

    Postfix 2.3 implements all the requests of Sendmail version 8 Milter protocols up to version 4, except one: message body replacement. -See, however, the limitations section -at the end of this document.

    +See, however, the workarounds and limitations sections at the end of this +document.

    This document provides information on the following topics:

    @@ -337,7 +338,7 @@ Connect to the specified TCP port on the specified local or remote host. The host and port can be specified in numeric or symbolic form.

    -

    Note: Postfix syntax differs from Milter syntax which has the +

    NOTE: Postfix syntax differs from Milter syntax which has the form inet:port@host.

    • @@ -611,6 +612,13 @@ TO

    Workarounds

    +

    Content filters may break domain key etc. signatures. If you +use an SMTP-based filter as described in FILTER_README, then you +should add a line to master.cf with "disable_mime_output_conversion += yes", as described in the advanced content filter +example.

    +

    Sendmail Milter applications were originally developed for the Sendmail version 8 MTA, which has a different architecture than Postfix. The result is that some Milter applications make assumptions @@ -618,6 +626,10 @@ that aren't true in a Postfix environment.

    diff --git a/postfix/proto/access b/postfix/proto/access index 7491acd62..2e2af8615 100644 --- a/postfix/proto/access +++ b/postfix/proto/access @@ -339,7 +339,7 @@ # This section describes how the table lookups change when lookups # are directed to a TCP-based server. For a description of the TCP # client/server lookup protocol, see \fBtcp_table\fR(5). -# This feature is not available up to and including Postfix version 2.2. +# This feature is not available up to and including Postfix version 2.3. # # Each lookup operation uses the entire query string once. # Depending on the application, that string is an entire client diff --git a/postfix/proto/canonical b/postfix/proto/canonical index 30d99fec3..1aeb6e752 100644 --- a/postfix/proto/canonical +++ b/postfix/proto/canonical @@ -146,7 +146,7 @@ # This section describes how the table lookups change when lookups # are directed to a TCP-based server. For a description of the TCP # client/server lookup protocol, see \fBtcp_table\fR(5). -# This feature is not available up to and including Postfix version 2.2. +# This feature is not available up to and including Postfix version 2.3. # # Each lookup operation uses the entire address once. Thus, # \fIuser@domain\fR mail addresses are not broken up into their diff --git a/postfix/proto/generic b/postfix/proto/generic index 8a0e8e972..d19dfde45 100644 --- a/postfix/proto/generic +++ b/postfix/proto/generic @@ -130,7 +130,7 @@ # This section describes how the table lookups change when lookups # are directed to a TCP-based server. For a description of the TCP # client/server lookup protocol, see \fBtcp_table\fR(5). -# This feature is not available up to and including Postfix version 2.2. +# This feature is not available up to and including Postfix version 2.3. # # Each lookup operation uses the entire address once. Thus, # \fIuser@domain\fR mail addresses are not broken up into their diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 19233b2e3..f233c4662 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -608,7 +608,8 @@ the Postfix SMTP client returns such mail as undeliverable.

    Specify, for example, "best_mx_transport = local" to pass the mail -from the SMTP client to the local(8) delivery agent. You can specify +from the Postfix SMTP client to the local(8) delivery agent. You +can specify any message delivery "transport" or "transport:nexthop" that is defined in the master.cf file. See the transport(5) manual page for the syntax and meaning of "transport" or "transport:nexthop". @@ -1703,7 +1704,8 @@ for IPv6.

    A better solution for multi-homed firewalls is to leave inet_interfaces at the default value and instead use explicit IP addresses in -the master.cf SMTP server definitions. This preserves the SMTP client's +the master.cf SMTP server definitions. This preserves the Postfix +SMTP client's loop detection, by ensuring that each side of the firewall knows that the other IP address is still the same host. Setting $inet_interfaces to a single IPv4 and/or IPV6 address is primarily useful with virtual @@ -2070,8 +2072,8 @@ lists: Postfix needs to know only if a lookup string is found or not, but it does not use the result from table lookup.

    -If this parameter is non-empty (the default), then the Postfix SMTP server -will reject mail for unknown local users. +If this parameter is non-empty (the default), then the Postfix SMTP +server will reject mail for unknown local users.

    @@ -3498,8 +3500,8 @@ the word "ESMTP" appears in the server greeting banner (example: %PARAM smtp_bind_address

    -An optional numerical network address that the SMTP client should -bind to when making an IPv4 connection. +An optional numerical network address that the Postfix SMTP client +should bind to when making an IPv4 connection.

    @@ -3525,8 +3527,8 @@ but this form is not recommended here.

    %PARAM smtp_bind_address6

    -An optional numerical network address that the SMTP client should -bind to when making an IPv6 connection. +An optional numerical network address that the Postfix SMTP client +should bind to when making an IPv6 connection.

    This feature is available in Postfix 2.2 and later.

    @@ -3673,7 +3675,8 @@ zero (use the operating system built-in time limit).

    -When no connection can be made within the deadline, the SMTP client +When no connection can be made within the deadline, the Postfix +SMTP client tries the next address on the mail exchanger list. Specify 0 to disable the time limit (i.e. use whatever timeout is implemented by the operating system). @@ -3718,7 +3721,7 @@ The default time unit is s (seconds).

    The SMTP client time limit for sending the SMTP message content. When the connection makes no progress for more than $smtp_data_xfer_timeout -seconds the SMTP client terminates the transfer. +seconds the Postfix SMTP client terminates the transfer.

    @@ -3864,7 +3867,7 @@ The default time unit is s (seconds). %PARAM smtp_host_lookup dns

    -What mechanisms when the SMTP client uses to look up a host's IP +What mechanisms when the Postfix SMTP client uses to look up a host's IP address. This parameter is ignored when DNS lookups are disabled.

    @@ -4123,8 +4126,8 @@ smtp_sasl_mechanism_filter = !gssapi, !login, static:rest %PARAM smtp_send_xforward_command no

    -Send the non-standard XFORWARD command when the Postfix SMTP server EHLO -response announces XFORWARD support. +Send the non-standard XFORWARD command when the Postfix SMTP server +EHLO response announces XFORWARD support.

    @@ -7861,8 +7864,8 @@ and virtual_alias_maps.

    %PARAM smtp_discard_ehlo_keywords

    A case insensitive list of EHLO keywords (pipelining, starttls, -auth, etc.) that the SMTP client will ignore in the EHLO response -from a remote SMTP server.

    +auth, etc.) that the Postfix SMTP client will ignore in the EHLO +response from a remote SMTP server.

    This feature is available in Postfix 2.2 and later.

    @@ -7902,7 +7905,7 @@ to discard EHLO keywords selectively.

    Lookup tables, indexed by the remote SMTP server address, with case insensitive lists of EHLO keywords (pipelining, starttls, auth, -etc.) that the SMTP client will ignore in the EHLO response from a +etc.) that the Postfix SMTP client will ignore in the EHLO response from a remote SMTP server. See smtp_discard_ehlo_keywords for details. The table is not indexed by hostname for consistency with smtpd_discard_ehlo_keyword_address_maps.

    @@ -8279,7 +8282,7 @@ may be annoying, so this option is "off" by default.

    %PARAM smtpd_tls_req_ccert no -

    When TLS encryption is enforced, require a remote SMTP client +

    With mandatory TLS encryption, require a remote SMTP client certificate in order to allow TLS connections to proceed. This option implies "smtpd_tls_ask_ccert = yes".

    @@ -8384,7 +8387,7 @@ clients.

    Note: do not use "" quotes around the parameter value.

    This feature is available with Postfix version 2.2. It is not used with -Postfix 2.3 and later; use smtpd_tls_ciphers instead.

    +Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.

    %PARAM smtpd_tls_dh1024_param_file @@ -8401,7 +8404,7 @@ openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024

    Your actual source for entropy may differ. Some systems have /dev/random; on other system you may consider using the "Entropy -Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/. +Gathering Daemon EGD", available at http://egd.sourceforge.net/

    Example:

    @@ -8636,7 +8639,7 @@ Postfix 2.3 and later use smtp_tls_security_level instead.

    %PARAM smtp_tls_enforce_peername yes -

    When TLS encryption is enforced, require that the remote SMTP +

    With mandatory TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP server certificate. As of RFC 2487 the requirements for hostname checking for MTA clients are not specified.

    @@ -8753,7 +8756,7 @@ postfix/smtp[pid]: Host offered STARTTLS: [name.of.host] %PARAM smtp_tls_cipherlist

    Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS -cipher list. As this feature applies to all security levels, it is easy +cipher list. As this feature applies to all TLS security levels, it is easy to create inter-operability problems by choosing a non-default cipher list. Do not use a non-default TLS cipher list on hosts that deliver email to the public Internet: you will be unable to send email to servers that @@ -8938,7 +8941,7 @@ process instance while mail is being forwarded.

    %PARAM smtpd_peername_lookup yes -

    Attempt to look up the SMTP client hostname, and verify that +

    Attempt to look up the Postfix SMTP client hostname, and verify that the name matches the client IP address. A client name is set to "unknown" when it cannot be looked up or verified, or when name lookup is disabled. Turning off name lookup reduces delays due to @@ -9015,7 +9018,7 @@ This feature is available in Postfix 2.3 and later. %PARAM smtp_sender_dependent_authentication no

    -Enable sender-dependent authentication in the SMTP client; this is +Enable sender-dependent authentication in the Postfix SMTP client; this is available only with SASL authentication, and disables SMTP connection caching to ensure that mail from different senders will use the appropriate credentials.

    @@ -9614,8 +9617,8 @@ configurations in environments where DNS security is not assured.

    %PARAM smtp_tls_mandatory_protocols SSLv3, TLSv1 -

    List of TLS protocol versions that are secure enough to be used -with the "encrypt" security level and higher. In main.cf the values +

    List of TLS protocols that the Postfix SMTP client will use +with mandatory TLS encryption. In main.cf the values are separated by whitespace, commas or colons. In the policy table (see smtp_tls_policy_maps) the only valid separator is colon. An empty value means allow all protocols. The valid protocol names, @@ -9772,22 +9775,20 @@ configuration parameter. See there for details.

    This feature is available in Postfix 2.3 and later.

    -%PARAM smtpd_tls_protocols +%PARAM smtpd_tls_mandatory_protocols SSLv3, TLSv1 -

    The list of TLS protocols supported by the Postfix SMTP server. -If the list is empty, the server supports all available TLS protocol -versions. A non-empty value is a list of protocol names separated -by whitespace, commas or colons. The supported protocol names are -"SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.

    - -

    DO NOT set this to a non-default value on an Internet MX host, -as this may cause inter-operability problems. If you restrict the -protocol list on an Internet MX host, you may lose mail.

    +

    The TLS protocols accepted by the Postfix SMTP server with +mandatory TLS encryption. With opportunistic TLS encryption, all +protocols are always accepted. If the list is empty, the server +supports all available TLS protocol versions. A non-empty value +is a list of protocol names separated by whitespace, commas or +colons. The supported protocol names are "SSLv2", "SSLv3" and +"TLSv1", and are not case sensitive.

    Example: 

    -smtpd_tls_protocols = SSLv3, TLSv1
+smtpd_tls_mandatory_protocols = SSLv3, TLSv1

    This feature is available in Postfix 2.3 and later.

    @@ -10070,61 +10071,68 @@ meanings.

    This feature is available in Postfix 2.3 and later.

    -%PARAM smtpd_tls_ciphers export +%PARAM smtpd_tls_mandatory_ciphers medium -

    The minimum acceptable SMTP server TLS cipher grade. It is easy to -create inter-operability problems by choosing a non-default cipher grade. -Do not use a stronger than default minimum cipher grade for MX hosts on -the public Internet. Clients that begin the TLS handshake, but are unable -to agree on a common cipher, may not be able to send any email to the -SMTP server. Using a restricted cipher list may be more appropriate for a -dedicated MSA or an internal mailhub, where one can exert some control over -the TLS software and settings of the connecting clients. Configurations -with no certificates are also not likely to inter-operate with most -clients, see the notes for "smtpd_tls_cert_file".

    +

    The minimum TLS cipher grade that the Postfix SMTP server will +use with mandatory +TLS encryption. Cipher types listed in smtpd_tls_mandatory_exclude_ciphers +or smtpd_tls_exclude_ciphers are excluded from the base definition +of the selected cipher grade. With opportunistic TLS encryption, +the "export" grade is used unconditionally with exclusions specified +only via smtpd_tls_exclude_ciphers.

    The following cipher grades are supported:

    export
    Enable the mainstream "EXPORT" grade or better OpenSSL ciphers. -This is the most appropriate setting for public MX hosts. The underlying -cipherlist is specified via the tls_export_cipherlist configuration -parameter, which you are strongly encouraged to not change. The default -value of tls_export_cipherlist includes anonymous ciphers, but these -are automatically filtered out if the server is configured to ask for +This is the most appropriate setting for public MX hosts, and is always +used with opportunistic TLS encryption. The underlying cipherlist +is specified via the tls_export_cipherlist configuration parameter, +which you are strongly encouraged to not change. The default value +of tls_export_cipherlist includes anonymous ciphers, but these are +automatically filtered out if the server is configured to ask for client certificates. If you must always exclude anonymous ciphers, -set "smtpd_tls_exclude_ciphers = aNULL".
    +set "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers +only when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers = +aNULL".
    low
    -
    Enable the mainstream "LOW" grade or better OpenSSL ciphers. This -setting is only appropriate for internal mail servers. The underlying -cipherlist is specified via the tls_low_cipherlist configuration -parameter, which you are strongly encouraged to not change. The default -value of tls_low_cipherlist includes anonymous ciphers, but these -are automatically filtered out if the server is configured to ask for -client certificates. If you must always exclude anonymous ciphers, -set "smtpd_tls_exclude_ciphers = aNULL".
    +
    Enable the mainstream "LOW" grade or better OpenSSL ciphers. The +underlying cipherlist is specified via the tls_low_cipherlist +configuration parameter, which you are strongly encouraged to +not change. The default value of tls_low_cipherlist includes +anonymous ciphers, but these are automatically filtered out if the +server is configured to ask for client certificates. If you must +always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers = +aNULL". To exclude anonymous ciphers only when TLS is enforced, set +"smtpd_tls_mandatory_exclude_ciphers = aNULL".
    medium
    -
    Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. This -setting is only appropriate for internal mail servers. The underlying -cipherlist is specified via the tls_medium_cipherlist configuration -parameter, which you are strongly encouraged to not change. The default -value of tls_medium_cipherlist includes anonymous ciphers, but these -are automatically filtered out if the server is configured to ask for -client certificates. If you must always exclude anonymous ciphers, -set "smtpd_tls_exclude_ciphers = aNULL".
    +
    Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. These +are essentially the 128-bit or stronger ciphers. This is the default +minimum strength for mandatory TLS encryption. MSAs that enforce +TLS and have clients that do not support any "MEDIUM" or "HIGH" +grade ciphers, may need to configure a weaker ("low" or "export") +minimum cipher grade. The underlying cipherlist is specified via the +tls_medium_cipherlist configuration parameter, which you are strongly +encouraged to not change. The default value of tls_medium_cipherlist +includes anonymous ciphers, but these are automatically filtered out if +the server is configured to ask for client certificates. If you must +always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers = +aNULL". To exclude anonymous ciphers only when TLS is enforced, set +"smtpd_tls_mandatory_exclude_ciphers = aNULL".
    high
    -
    Enable only the mainstream "HIGH" grade OpenSSL ciphers. This -setting is only appropriate for internal mail servers. The underlying -cipherlist is specified via the tls_high_cipherlist configuration -parameter, which you are strongly encouraged to not change. The default -value of tls_high_cipherlist includes anonymous ciphers, but these -are automatically filtered out if the server is configured to ask for -client certificates. If you must always exclude anonymous ciphers, set -"smtpd_tls_exclude_ciphers = aNULL".
    +
    Enable only the mainstream "HIGH" grade OpenSSL ciphers. The +underlying cipherlist is specified via the tls_high_cipherlist +configuration parameter, which you are strongly encouraged to +not change. The default value of tls_high_cipherlist includes +anonymous ciphers, but these are automatically filtered out if the +server is configured to ask for client certificates. If you must +always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers = +aNULL". To exclude anonymous ciphers only when TLS is enforced, set +"smtpd_tls_mandatory_exclude_ciphers = aNULL".
    null
    Enable only the "NULL" OpenSSL ciphers, these provide authentication @@ -10143,10 +10151,12 @@ data integrity without encryption or authentication).
    %PARAM smtpd_tls_exclude_ciphers

    List of ciphers or cipher types to exclude from the SMTP server -cipher list. This is not an OpenSSL cipherlist; it is a simple list -separated by whitespace and/or commas. The elements are a single -cipher, or one or more "+" separated cipher properties, in which -case only ciphers matching all the properties are excluded.

    +cipher list at all TLS security levels. Excluding valid ciphers +can create interoperability problems. DO NOT exclude ciphers unless it +is essential to do so. This is not an OpenSSL cipherlist; it is a simple +list separated by whitespace and/or commas. The elements are a single +cipher, or one or more "+" separated cipher properties, in which case +only ciphers matching all the properties are excluded.

    Examples (some of these will cause problems):

    @@ -10167,14 +10177,24 @@ key exchange with RSA authentication.

    This feature is available in Postfix 2.3 and later.

    +%PARAM smtpd_tls_mandatory_exclude_ciphers + +

    Additional list of ciphers or cipher types to exclude from the +SMTP server cipher list at mandatory TLS security levels. This list +works in addition to the exclusions listed with smtpd_tls_exclude_ciphers +(see there for syntax details).

    + +

    This feature is available in Postfix 2.3 and later.

    + %PARAM smtp_tls_mandatory_ciphers medium -

    The minimum SMTP client TLS cipher grade that is strong enough to -be used with the "encrypt" security level and higher. The default -value "medium" is suitable for most destinations with which you may -want to enforce TLS, and is beyond the reach of today's crypt-analytic -methods. See smtp_tls_policy_maps for information on how to configure -ciphers on a per-destination basis.

    +

    The minimum TLS cipher grade that the Postfix SMTP client will +use with +mandatory TLS encryption. The default value "medium" is suitable +for most destinations with which you may want to enforce TLS, and +is beyond the reach of today's crypt-analytic methods. See +smtp_tls_policy_maps for information on how to configure ciphers +on a per-destination basis.

    The following cipher grades are supported:

    @@ -10240,8 +10260,9 @@ encryption or authentication). %PARAM smtp_tls_exclude_ciphers -

    List of ciphers or cipher types to exclude from the SMTP client cipher -list at all security levels. This is not an OpenSSL cipherlist, it is +

    List of ciphers or cipher types to exclude from the Postfix +SMTP client cipher +list at all TLS security levels. This is not an OpenSSL cipherlist, it is a simple list separated by whitespace and/or commas. The elements are a single cipher, or one or more "+" separated cipher properties, in which case only ciphers matching all the properties are excluded.

    @@ -10267,18 +10288,17 @@ key exchange with RSA authentication.

    %PARAM smtp_tls_mandatory_exclude_ciphers -

    List of ciphers or cipher types to exclude from the SMTP client -cipher list at the mandatory TLS security levels: "encrypt", "verify" -and "secure". See smtp_tls_exclude_ciphers for syntax details. When -both "exclude" parameters are defined, the combined list of ciphers is -excluded (provided the TLS security level is "encrypt" or higher).

    +

    Additional list of ciphers or cipher types to exclude from the +SMTP client cipher list at mandatory TLS security levels. This list +works in addition to the exclusions listed with smtp_tls_exclude_ciphers +(see there for syntax details).

    This feature is available in Postfix 2.3 and later.

    %PARAM tls_high_cipherlist !EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH

    The OpenSSL cipherlist for "HIGH" grade ciphers. This defines -the meaning of the "high" setting in smtpd_tls_ciphers, +the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change this setting.

    @@ -10287,7 +10307,7 @@ strongly encouraged to not change this setting.

    %PARAM tls_medium_cipherlist !EXPORT:!LOW:ALL:+RC4:@STRENGTH

    The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This -defines the meaning of the "medium" setting in smtpd_tls_ciphers, +defines the meaning of the "medium" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server @@ -10299,7 +10319,7 @@ setting.

    %PARAM tls_low_cipherlist !EXPORT:ALL:+RC4:@STRENGTH

    The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines -the meaning of the "low" setting in smtpd_tls_ciphers, +the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change this setting.

    @@ -10308,7 +10328,7 @@ strongly encouraged to not change this setting.

    %PARAM tls_export_cipherlist ALL:+RC4:@STRENGTH

    The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This -defines the meaning of the "export" setting in smtpd_tls_ciphers, +defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are @@ -10320,7 +10340,7 @@ strongly encouraged to not change this setting.

    The OpenSSL cipherlist for "NULL" grade ciphers that provide authentication without encryption. This defines the meaning of the "null" -setting in smtpd_tls_ciphers, smtp_tls_mandatory_ciphers and +setting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change this setting.

    @@ -10349,9 +10369,10 @@ configuration parameter. See there for details.

    %PARAM smtp_sasl_auth_enforce yes -

    Defer mail delivery when an SMTP server does not support SASL -authentication, while smtp_sasl_password_maps contains SASL -login/password information for that server.

    +

    If sender-dependent SASL passwords are turned off, defer mail +delivery when an SMTP server does not support SASL authentication, +while smtp_sasl_password_maps contains SASL login/password information +for that server.

    This feature is available in Postfix 2.3 and later.

    @@ -10399,3 +10420,27 @@ encrypt" implies "smtpd_tls_auth_only = yes".

    Note 3: when invoked via "sendmail -bs", Postfix will never offer STARTTLS due to insufficient privileges to access the server private key. This is intended behavior.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM internal_mail_filter_classes + +

    What categories of Postfix-generated mail are subject to +before-queue content inspection by non_smtpd_milters, header_checks +and body_checks. Specify zero or more of the following, separated +by whitespace or comma.

    + +
    + +
    bounce
    Inspect the content of delivery +status notifications.
    + +
    notify
    Inspect the content of postmaster +notifications by the smtp(8) and smtpd(8) processes.
    + +
    + +

    NOTE: It's generally not safe to enable content inspection of +Postfix-generated email messages. The user is warned.

    + +

    This feature is available in Postfix 2.3 and later.

    diff --git a/postfix/proto/relocated b/postfix/proto/relocated index 49a3a2eac..f1e1fe55b 100644 --- a/postfix/proto/relocated +++ b/postfix/proto/relocated @@ -82,7 +82,7 @@ # expression lookup table syntax, see \fBregexp_table\fR(5) or # \fBpcre_table\fR(5). For a description of the TCP client/server # table lookup protocol, see \fBtcp_table\fR(5). -# This feature is not available up to and including Postfix version 2.2. +# This feature is not available up to and including Postfix version 2.3. # # Each pattern is a regular expression that is applied to the entire # address being looked up. Thus, \fIuser@domain\fR mail addresses are not @@ -101,7 +101,7 @@ # This section describes how the table lookups change when lookups # are directed to a TCP-based server. For a description of the TCP # client/server lookup protocol, see \fBtcp_table\fR(5). -# This feature is not available up to and including Postfix version 2.2. +# This feature is not available up to and including Postfix version 2.3. # # Each lookup operation uses the entire address once. Thus, # \fIuser@domain\fR mail addresses are not broken up into their diff --git a/postfix/proto/transport b/postfix/proto/transport index 4546a0095..0a6029f2b 100644 --- a/postfix/proto/transport +++ b/postfix/proto/transport @@ -229,7 +229,7 @@ # This section describes how the table lookups change when lookups # are directed to a TCP-based server. For a description of the TCP # client/server lookup protocol, see \fBtcp_table\fR(5). -# This feature is not available up to and including Postfix version 2.2. +# This feature is not available up to and including Postfix version 2.3. # # Each lookup operation uses the entire recipient address once. Thus, # \fIsome.domain.hierarchy\fR is not looked up via its parent domains, diff --git a/postfix/proto/virtual b/postfix/proto/virtual index e732a1a68..7f60d562b 100644 --- a/postfix/proto/virtual +++ b/postfix/proto/virtual @@ -199,7 +199,7 @@ # This section describes how the table lookups change when lookups # are directed to a TCP-based server. For a description of the TCP # client/server lookup protocol, see \fBtcp_table\fR(5). -# This feature is not available up to and including Postfix version 2.2. +# This feature is not available up to and including Postfix version 2.3. # # Each lookup operation uses the entire address once. Thus, # \fIuser@domain\fR mail addresses are not broken up into their diff --git a/postfix/src/bounce/bounce.c b/postfix/src/bounce/bounce.c index d9fe163b5..c09d36eed 100644 --- a/postfix/src/bounce/bounce.c +++ b/postfix/src/bounce/bounce.c @@ -83,6 +83,10 @@ /* .IP "\fBipc_timeout (3600s)\fR" /* The time limit for sending or receiving information over an internal /* communication channel. +/* .IP "\fBinternal_mail_filter_classes (empty)\fR" +/* What categories of Postfix-generated mail are subject to +/* before-queue content inspection by non_smtpd_milters, header_checks +/* and body_checks. /* .IP "\fBmail_name (Postfix)\fR" /* The mail system name that is displayed in Received: headers, in /* the SMTP greeting banner, and in bounced mail. diff --git a/postfix/src/bounce/bounce_notify_service.c b/postfix/src/bounce/bounce_notify_service.c index 8c3550594..2f9fdb81b 100644 --- a/postfix/src/bounce/bounce_notify_service.c +++ b/postfix/src/bounce/bounce_notify_service.c @@ -174,7 +174,7 @@ int bounce_notify_service(int flags, char *service, char *queue_name, postmaster = var_2bounce_rcpt; if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(), postmaster, - CLEANUP_FLAG_MASK_INTERNAL, + INT_FILT_BOUNCE, NULL_TRACE_FLAGS, new_id)) != 0) { @@ -213,7 +213,7 @@ int bounce_notify_service(int flags, char *service, char *queue_name, */ else { if ((bounce = post_mail_fopen_nowait(NULL_SENDER, recipient, - CLEANUP_FLAG_MASK_INTERNAL, + INT_FILT_BOUNCE, NULL_TRACE_FLAGS, new_id)) != 0) { @@ -267,7 +267,7 @@ int bounce_notify_service(int flags, char *service, char *queue_name, postmaster = var_bounce_rcpt; if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(), postmaster, - CLEANUP_FLAG_MASK_INTERNAL, + INT_FILT_BOUNCE, NULL_TRACE_FLAGS, new_id)) != 0) { count = -1; diff --git a/postfix/src/bounce/bounce_notify_verp.c b/postfix/src/bounce/bounce_notify_verp.c index 4fcdf644c..dbc5e5613 100644 --- a/postfix/src/bounce/bounce_notify_verp.c +++ b/postfix/src/bounce/bounce_notify_verp.c @@ -158,7 +158,7 @@ int bounce_notify_verp(int flags, char *service, char *queue_name, } else { verp_sender(verp_buf, verp_delims, recipient, rcpt->address); if ((bounce = post_mail_fopen_nowait(NULL_SENDER, STR(verp_buf), - CLEANUP_FLAG_MASK_INTERNAL, + INT_FILT_BOUNCE, NULL_TRACE_FLAGS, new_id)) != 0) { @@ -217,7 +217,7 @@ int bounce_notify_verp(int flags, char *service, char *queue_name, postmaster = var_bounce_rcpt; if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(), postmaster, - CLEANUP_FLAG_MASK_INTERNAL, + INT_FILT_BOUNCE, NULL_TRACE_FLAGS, new_id)) != 0) { if (bounce_header(bounce, bounce_info, postmaster, diff --git a/postfix/src/bounce/bounce_one_service.c b/postfix/src/bounce/bounce_one_service.c index 6d6ca629a..5373e74e1 100644 --- a/postfix/src/bounce/bounce_one_service.c +++ b/postfix/src/bounce/bounce_one_service.c @@ -147,7 +147,7 @@ int bounce_one_service(int flags, char *queue_name, char *queue_id, } else { if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(), var_2bounce_rcpt, - CLEANUP_FLAG_MASK_INTERNAL, + INT_FILT_BOUNCE, NULL_TRACE_FLAGS, new_id)) != 0) { @@ -183,7 +183,7 @@ int bounce_one_service(int flags, char *queue_name, char *queue_id, bounce_status = 0; } else { if ((bounce = post_mail_fopen_nowait(NULL_SENDER, orig_sender, - CLEANUP_FLAG_MASK_INTERNAL, + INT_FILT_BOUNCE, NULL_TRACE_FLAGS, new_id)) != 0) { @@ -228,7 +228,7 @@ int bounce_one_service(int flags, char *queue_name, char *queue_id, */ if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(), var_bounce_rcpt, - CLEANUP_FLAG_MASK_INTERNAL, + INT_FILT_BOUNCE, NULL_TRACE_FLAGS, new_id)) != 0) { if (bounce_header(bounce, bounce_info, var_bounce_rcpt, diff --git a/postfix/src/bounce/bounce_trace_service.c b/postfix/src/bounce/bounce_trace_service.c index 747e6f400..78d1b9362 100644 --- a/postfix/src/bounce/bounce_trace_service.c +++ b/postfix/src/bounce/bounce_trace_service.c @@ -140,7 +140,7 @@ int bounce_trace_service(int flags, char *service, char *queue_name, * a new queue file. */ if ((bounce = post_mail_fopen_nowait(NULL_SENDER, recipient, - CLEANUP_FLAG_MASK_INTERNAL, + INT_FILT_BOUNCE, NULL_TRACE_FLAGS, new_id)) != 0) { count = -1; diff --git a/postfix/src/bounce/bounce_warn_service.c b/postfix/src/bounce/bounce_warn_service.c index 98db272ea..cb19579a1 100644 --- a/postfix/src/bounce/bounce_warn_service.c +++ b/postfix/src/bounce/bounce_warn_service.c @@ -164,7 +164,7 @@ int bounce_warn_service(int unused_flags, char *service, char *queue_name, postmaster = var_delay_rcpt; if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(), postmaster, - CLEANUP_FLAG_MASK_INTERNAL, + INT_FILT_BOUNCE, NULL_TRACE_FLAGS, new_id)) != 0) { @@ -202,7 +202,7 @@ int bounce_warn_service(int unused_flags, char *service, char *queue_name, */ else { if ((bounce = post_mail_fopen_nowait(NULL_SENDER, recipient, - CLEANUP_FLAG_MASK_INTERNAL, + INT_FILT_BOUNCE, NULL_TRACE_FLAGS, new_id)) != 0) { @@ -252,7 +252,7 @@ int bounce_warn_service(int unused_flags, char *service, char *queue_name, postmaster = var_delay_rcpt; if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(), postmaster, - CLEANUP_FLAG_MASK_INTERNAL, + INT_FILT_BOUNCE, NULL_TRACE_FLAGS, new_id)) != 0) { count = -1; diff --git a/postfix/src/cleanup/cleanup.h b/postfix/src/cleanup/cleanup.h index 2db16f4cf..cc0a9bd51 100644 --- a/postfix/src/cleanup/cleanup.h +++ b/postfix/src/cleanup/cleanup.h @@ -90,6 +90,8 @@ typedef struct CLEANUP_STATE { int defer_delay; /* deferred delivery */ #endif MILTERS *milters; /* mail filters */ + const char *client_name; /* real or ersatz client */ + const char *client_addr; /* real or ersatz client */ } CLEANUP_STATE; /* diff --git a/postfix/src/cleanup/cleanup_milter.c b/postfix/src/cleanup/cleanup_milter.c index f5d49c102..ebd1f5ce7 100644 --- a/postfix/src/cleanup/cleanup_milter.c +++ b/postfix/src/cleanup/cleanup_milter.c @@ -1265,7 +1265,8 @@ void cleanup_milter_receive(CLEANUP_STATE *state, int count) /* cleanup_milter_apply - apply Milter reponse, non-zero if rejecting */ -static const char *cleanup_milter_apply(CLEANUP_STATE *state, const char *resp) +static const char *cleanup_milter_apply(CLEANUP_STATE *state, const char *event, + const char *resp) { const char *myname = "cleanup_milter_apply"; const char *action; @@ -1337,7 +1338,9 @@ static const char *cleanup_milter_apply(CLEANUP_STATE *state, const char *resp) default: msg_panic("%s: unexpected mail filter reply: %s", myname, resp); } - vstring_sprintf(state->temp1, "%s: %s;", state->queue_id, action); + vstring_sprintf(state->temp1, "%s: %s: %s from %s[%s]: %s;", + state->queue_id, action, event, state->client_name, + state->client_addr, text); if (state->sender) vstring_sprintf_append(state->temp1, " from=<%s>", state->sender); if (state->recip) @@ -1346,7 +1349,6 @@ static const char *cleanup_milter_apply(CLEANUP_STATE *state, const char *resp) vstring_sprintf_append(state->temp1, " proto=%s", attr); if ((attr = nvtable_find(state->attr, MAIL_ATTR_LOG_HELO_NAME)) != 0) vstring_sprintf_append(state->temp1, " helo=<%s>", attr); - vstring_sprintf_append(state->temp1, ": %s", text); msg_info("%s", vstring_str(state->temp1)); return (ret); @@ -1368,7 +1370,7 @@ void cleanup_milter_inspect(CLEANUP_STATE *state, MILTERS *milters) */ if ((resp = milter_message(milters, state->handle->stream, state->data_offset)) != 0) - cleanup_milter_apply(state, resp); + cleanup_milter_apply(state, "END-OF-MESSAGE", resp); if (msg_verbose) msg_info("leave %s", myname); } @@ -1380,8 +1382,6 @@ void cleanup_milter_emul_mail(CLEANUP_STATE *state, const char *addr) { const char *resp; - const char *client_name; - const char *client_addr; const char *proto_attr; const char *client_port; int client_af; @@ -1404,14 +1404,15 @@ void cleanup_milter_emul_mail(CLEANUP_STATE *state, */ #define NO_CLIENT_PORT "0" - client_name = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_NAME); - client_addr = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_ADDR); + state->client_name = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_NAME); + state->client_addr = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_ADDR); + client_port = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_PORT); proto_attr = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_AF); - if (client_name == 0 || client_addr == 0 || proto_attr == 0 + if (state->client_name == 0 || state->client_addr == 0 || proto_attr == 0 || !alldig(proto_attr)) { - client_name = "localhost"; - client_addr = "127.0.0.1"; + state->client_name = "localhost"; + state->client_addr = "127.0.0.1"; client_af = AF_INET; } else client_af = atoi(proto_attr); @@ -1421,18 +1422,18 @@ void cleanup_milter_emul_mail(CLEANUP_STATE *state, /* * Emulate SMTP events. */ - if ((resp = milter_conn_event(milters, client_name, client_addr, + if ((resp = milter_conn_event(milters, state->client_name, state->client_addr, client_port, client_af)) != 0) { - cleanup_milter_apply(state, resp); + cleanup_milter_apply(state, "CONNECT", resp); return; } #define PRETEND_ESMTP 1 if (CLEANUP_MILTER_OK(state)) { if ((helo = nvtable_find(state->attr, MAIL_ATTR_ACT_HELO_NAME)) == 0) - helo = client_name; + helo = state->client_name; if ((resp = milter_helo_event(milters, helo, PRETEND_ESMTP)) != 0) { - cleanup_milter_apply(state, resp); + cleanup_milter_apply(state, "EHLO", resp); return; } } @@ -1440,7 +1441,7 @@ void cleanup_milter_emul_mail(CLEANUP_STATE *state, argv[0] = addr; argv[1] = 0; if ((resp = milter_mail_event(milters, argv)) != 0) { - cleanup_milter_apply(state, resp); + cleanup_milter_apply(state, "MAIL", resp); return; } } @@ -1463,7 +1464,7 @@ void cleanup_milter_emul_rcpt(CLEANUP_STATE *state, argv[0] = addr; argv[1] = 0; if ((resp = milter_rcpt_event(milters, argv)) != 0 - && cleanup_milter_apply(state, resp) != 0) { + && cleanup_milter_apply(state, "RCPT", resp) != 0) { msg_warn("%s: milter configuration error: can't reject recipient " "in non-smtpd(8) submission", state->queue_id); msg_warn("%s: deferring delivery of this message", state->queue_id); @@ -1481,7 +1482,7 @@ void cleanup_milter_emul_data(CLEANUP_STATE *state, MILTERS *milters) const char *resp; if ((resp = milter_data_event(milters)) != 0) - cleanup_milter_apply(state, resp); + cleanup_milter_apply(state, "DATA", resp); } #ifdef TEST diff --git a/postfix/src/cleanup/cleanup_state.c b/postfix/src/cleanup/cleanup_state.c index 495ece4b3..fae7fdd58 100644 --- a/postfix/src/cleanup/cleanup_state.c +++ b/postfix/src/cleanup/cleanup_state.c @@ -108,6 +108,8 @@ CLEANUP_STATE *cleanup_state_alloc(VSTREAM *src) state->dsn_orcpt = 0; state->verp_delims = 0; state->milters = 0; + state->client_name = 0; + state->client_addr = 0; return (state); } diff --git a/postfix/src/global/Makefile.in b/postfix/src/global/Makefile.in index 21ec0d22d..ab9162360 100644 --- a/postfix/src/global/Makefile.in +++ b/postfix/src/global/Makefile.in @@ -1,88 +1,85 @@ SHELL = /bin/sh SRCS = abounce.c anvil_clnt.c been_here.c bounce.c bounce_log.c \ canon_addr.c cfg_parser.c cleanup_strerror.c cleanup_strflags.c \ - clnt_stream.c debug_peer.c debug_process.c defer.c db_common.c \ - deliver_completed.c deliver_flock.c deliver_pass.c deliver_request.c \ - dict_ldap.c dict_mysql.c dict_pgsql.c dict_proxy.c domain_list.c \ - dot_lockfile.c dot_lockfile_as.c ext_prop.c file_id.c flush_clnt.c \ - header_opts.c header_token.c input_transp.c \ - is_header.c log_adhoc.c mail_addr.c mail_addr_crunch.c \ - mail_addr_find.c mail_addr_map.c mail_command_client.c \ - mail_command_server.c mail_conf.c mail_conf_bool.c mail_conf_int.c \ - mail_conf_raw.c mail_conf_str.c mail_conf_time.c mail_connect.c \ - mail_copy.c mail_date.c mail_dict.c mail_error.c mail_flush.c \ - mail_open_ok.c mail_params.c mail_pathname.c mail_queue.c \ - mail_run.c mail_scan_dir.c mail_stream.c mail_task.c mail_trigger.c \ - maps.c mark_corrupt.c match_parent_style.c mbox_conf.c \ - mbox_open.c mime_state.c mkmap_db.c mkmap_dbm.c mkmap_open.c \ - mynetworks.c mypwd.c namadr_list.c off_cvt.c opened.c \ - own_inet_addr.c pipe_command.c post_mail.c quote_821_local.c \ - quote_822_local.c rec_streamlf.c rec_type.c recipient_list.c \ - record.c remove.c resolve_clnt.c resolve_local.c rewrite_clnt.c \ + clnt_stream.c conv_time.c db_common.c debug_peer.c debug_process.c \ + defer.c deliver_completed.c deliver_flock.c deliver_pass.c \ + deliver_request.c dict_ldap.c dict_mysql.c dict_pgsql.c \ + dict_proxy.c domain_list.c dot_lockfile.c dot_lockfile_as.c \ + dsb_scan.c dsn.c dsn_buf.c dsn_mask.c dsn_print.c dsn_util.c \ + ehlo_mask.c ext_prop.c file_id.c flush_clnt.c header_opts.c \ + header_token.c input_transp.c int_filt.c is_header.c log_adhoc.c \ + mail_addr.c mail_addr_crunch.c mail_addr_find.c mail_addr_map.c \ + mail_command_client.c mail_command_server.c mail_conf.c \ + mail_conf_bool.c mail_conf_int.c mail_conf_long.c mail_conf_raw.c \ + mail_conf_str.c mail_conf_time.c mail_connect.c mail_copy.c \ + mail_date.c mail_dict.c mail_error.c mail_flush.c mail_open_ok.c \ + mail_params.c mail_pathname.c mail_queue.c mail_run.c \ + mail_scan_dir.c mail_stream.c mail_task.c mail_trigger.c maps.c \ + mark_corrupt.c match_parent_style.c mbox_conf.c mbox_open.c \ + mime_state.c mkmap_cdb.c mkmap_db.c mkmap_dbm.c mkmap_open.c \ + mkmap_sdbm.c msg_stats_print.c msg_stats_scan.c mynetworks.c \ + mypwd.c namadr_list.c off_cvt.c opened.c own_inet_addr.c \ + pipe_command.c post_mail.c quote_821_local.c quote_822_local.c \ + rcpt_buf.c rcpt_print.c rec_attr_map.c rec_streamlf.c rec_type.c \ + recipient_list.c record.c remove.c resolve_clnt.c resolve_local.c \ + rewrite_clnt.c scache_clnt.c scache_multi.c scache_single.c \ sent.c smtp_stream.c split_addr.c string_list.c strip_addr.c \ sys_exits.c timed_ipc.c tok822_find.c tok822_node.c tok822_parse.c \ - tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c verify.c \ - verify_clnt.c verp_sender.c xtext.c scache_single.c \ - scache_clnt.c scache_multi.c user_acl.c mkmap_cdb.c mkmap_sdbm.c \ - ehlo_mask.c \ - wildcard_inet_addr.c valid_mailhost_addr.c dsn_util.c dsn_mask.c \ - rec_attr_map.c dsn.c dsn_buf.c rcpt_buf.c rcpt_print.c dsn_print.c \ - dsb_scan.c mail_conf_long.c msg_stats_print.c msg_stats_scan.c \ - conv_time.c + tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c \ + user_acl.c valid_mailhost_addr.c verify.c verify_clnt.c \ + verp_sender.c wildcard_inet_addr.c xtext.c OBJS = abounce.o anvil_clnt.o been_here.o bounce.o bounce_log.o \ canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \ - clnt_stream.o debug_peer.o debug_process.o defer.o db_common.o \ - deliver_completed.o deliver_flock.o deliver_pass.o deliver_request.o \ - dict_ldap.o dict_mysql.o dict_pgsql.o dict_proxy.o domain_list.o \ - dot_lockfile.o dot_lockfile_as.o ext_prop.o file_id.o flush_clnt.o \ - header_opts.o header_token.o input_transp.o \ - is_header.o log_adhoc.o mail_addr.o mail_addr_crunch.o \ - mail_addr_find.o mail_addr_map.o mail_command_client.o \ - mail_command_server.o mail_conf.o mail_conf_bool.o mail_conf_int.o \ - mail_conf_raw.o mail_conf_str.o mail_conf_time.o mail_connect.o \ - mail_copy.o mail_date.o mail_dict.o mail_error.o mail_flush.o \ - mail_open_ok.o mail_params.o mail_pathname.o mail_queue.o \ - mail_run.o mail_scan_dir.o mail_stream.o mail_task.o mail_trigger.o \ - maps.o mark_corrupt.o match_parent_style.o mbox_conf.o \ - mbox_open.o mime_state.o mkmap_db.o mkmap_dbm.o mkmap_open.o \ - mynetworks.o mypwd.o namadr_list.o off_cvt.o opened.o \ - own_inet_addr.o pipe_command.o post_mail.o quote_821_local.o \ - quote_822_local.o rec_streamlf.o rec_type.o recipient_list.o \ - record.o remove.o resolve_clnt.o resolve_local.o rewrite_clnt.o \ + clnt_stream.o conv_time.o db_common.o debug_peer.o debug_process.o \ + defer.o deliver_completed.o deliver_flock.o deliver_pass.o \ + deliver_request.o dict_ldap.o dict_mysql.o dict_pgsql.o \ + dict_proxy.o domain_list.o dot_lockfile.o dot_lockfile_as.o \ + dsb_scan.o dsn.o dsn_buf.o dsn_mask.o dsn_print.o dsn_util.o \ + ehlo_mask.o ext_prop.o file_id.o flush_clnt.o header_opts.o \ + header_token.o input_transp.o int_filt.o is_header.o log_adhoc.o \ + mail_addr.o mail_addr_crunch.o mail_addr_find.o mail_addr_map.o \ + mail_command_client.o mail_command_server.o mail_conf.o \ + mail_conf_bool.o mail_conf_int.o mail_conf_long.o mail_conf_raw.o \ + mail_conf_str.o mail_conf_time.o mail_connect.o mail_copy.o \ + mail_date.o mail_dict.o mail_error.o mail_flush.o mail_open_ok.o \ + mail_params.o mail_pathname.o mail_queue.o mail_run.o \ + mail_scan_dir.o mail_stream.o mail_task.o mail_trigger.o maps.o \ + mark_corrupt.o match_parent_style.o mbox_conf.o mbox_open.o \ + mime_state.o mkmap_cdb.o mkmap_db.o mkmap_dbm.o mkmap_open.o \ + mkmap_sdbm.o msg_stats_print.o msg_stats_scan.o mynetworks.o \ + mypwd.o namadr_list.o off_cvt.o opened.o own_inet_addr.o \ + pipe_command.o post_mail.o quote_821_local.o quote_822_local.o \ + rcpt_buf.o rcpt_print.o rec_attr_map.o rec_streamlf.o rec_type.o \ + recipient_list.o record.o remove.o resolve_clnt.o resolve_local.o \ + rewrite_clnt.o scache_clnt.o scache_multi.o scache_single.o \ sent.o smtp_stream.o split_addr.o string_list.o strip_addr.o \ sys_exits.o timed_ipc.o tok822_find.o tok822_node.o tok822_parse.o \ - tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o verify.o \ - verify_clnt.o verp_sender.o xtext.o scache_single.o \ - scache_clnt.o scache_multi.o user_acl.o mkmap_cdb.o mkmap_sdbm.o \ - ehlo_mask.o \ - wildcard_inet_addr.o valid_mailhost_addr.o dsn_util.o dsn_mask.o \ - rec_attr_map.o dsn.o dsn_buf.o rcpt_buf.o rcpt_print.o dsn_print.o \ - dsb_scan.o mail_conf_long.o msg_stats_print.o msg_stats_scan.o \ - conv_time.o + tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o \ + user_acl.o valid_mailhost_addr.o verify.o verify_clnt.o \ + verp_sender.o wildcard_inet_addr.o xtext.o HDRS = abounce.h anvil_clnt.h been_here.h bounce.h bounce_log.h \ canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \ - debug_peer.h debug_process.h defer.h deliver_completed.h \ - deliver_flock.h deliver_pass.h deliver_request.h dict_ldap.h \ - dict_mysql.h dict_pgsql.h dict_proxy.h domain_list.h dot_lockfile.h \ - dot_lockfile_as.h ext_prop.h file_id.h flush_clnt.h header_opts.h \ - header_token.h input_transp.h is_header.h \ - lex_822.h log_adhoc.h mail_addr.h mail_addr_crunch.h \ - mail_addr_find.h mail_addr_map.h mail_conf.h mail_copy.h \ - mail_date.h mail_dict.h mail_error.h mail_flush.h mail_open_ok.h \ - mail_params.h mail_proto.h mail_queue.h mail_run.h mail_scan_dir.h \ - mail_stream.h mail_task.h mail_version.h maps.h mark_corrupt.h \ - match_parent_style.h mbox_conf.h mbox_open.h mime_state.h \ - mkmap.h mynetworks.h mypwd.h namadr_list.h off_cvt.h opened.h \ - own_inet_addr.h pipe_command.h post_mail.h qmgr_user.h \ - qmqp_proto.h quote_821_local.h quote_822_local.h quote_flags.h \ - rec_streamlf.h rec_type.h recipient_list.h record.h resolve_clnt.h \ - resolve_local.h rewrite_clnt.h sent.h smtp_stream.h split_addr.h \ + conv_time.h db_common.h debug_peer.h debug_process.h defer.h \ + deliver_completed.h deliver_flock.h deliver_pass.h deliver_request.h \ + dict_ldap.h dict_mysql.h dict_pgsql.h dict_proxy.h domain_list.h \ + dot_lockfile.h dot_lockfile_as.h dsb_scan.h dsn.h dsn_buf.h \ + dsn_mask.h dsn_print.h dsn_util.h ehlo_mask.h ext_prop.h \ + file_id.h flush_clnt.h header_opts.h header_token.h input_transp.h \ + int_filt.h is_header.h lex_822.h log_adhoc.h mail_addr.h \ + mail_addr_crunch.h mail_addr_find.h mail_addr_map.h mail_conf.h \ + mail_copy.h mail_date.h mail_dict.h mail_error.h mail_flush.h \ + mail_open_ok.h mail_params.h mail_proto.h mail_queue.h mail_run.h \ + mail_scan_dir.h mail_stream.h mail_task.h mail_version.h maps.h \ + mark_corrupt.h match_parent_style.h mbox_conf.h mbox_open.h \ + mime_state.h mkmap.h msg_stats.h mynetworks.h mypwd.h namadr_list.h \ + off_cvt.h opened.h own_inet_addr.h pipe_command.h post_mail.h \ + qmgr_user.h qmqp_proto.h quote_821_local.h quote_822_local.h \ + quote_flags.h rcpt_buf.h rcpt_print.h rec_attr_map.h rec_streamlf.h \ + rec_type.h recipient_list.h record.h resolve_clnt.h resolve_local.h \ + rewrite_clnt.h scache.h sent.h smtp_stream.h split_addr.h \ string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h \ - trace.h verify.h verify_clnt.h verp_sender.h \ - xtext.h scache.h user_acl.h ehlo_mask.h db_common.h \ - wildcard_inet_addr.h valid_mailhost_addr.h dsn_util.h dsn_mask.h \ - rec_attr_map.h dsn.h dsn_buf.h rcpt_buf.h rcpt_print.h dsn_print.h \ - dsb_scan.h msg_stats.h conv_time.h + trace.h user_acl.h valid_mailhost_addr.h verify.h verify_clnt.h \ + verp_sender.h wildcard_inet_addr.h xtext.h TESTSRC = rec2stream.c stream2rec.c recdump.c DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE) CFLAGS = $(DEBUG) $(OPT) $(DEFS) @@ -871,6 +868,13 @@ input_transp.o: cleanup_user.h input_transp.o: input_transp.c input_transp.o: input_transp.h input_transp.o: mail_params.h +int_filt.o: ../../include/name_mask.h +int_filt.o: ../../include/sys_defs.h +int_filt.o: ../../include/vbuf.h +int_filt.o: ../../include/vstring.h +int_filt.o: int_filt.c +int_filt.o: int_filt.h +int_filt.o: mail_params.h is_header.o: ../../include/sys_defs.h is_header.o: is_header.c is_header.o: is_header.h diff --git a/postfix/src/global/ext_prop.c b/postfix/src/global/ext_prop.c index c6860cf2b..9ae7cc493 100644 --- a/postfix/src/global/ext_prop.c +++ b/postfix/src/global/ext_prop.c @@ -1,16 +1,16 @@ /*++ /* NAME -/* exp_prop 3 +/* ext_prop 3 /* SUMMARY /* address extension propagation control /* SYNOPSIS -/* #include +/* #include /* /* int ext_prop_mask(param_name, pattern) /* const char *param_name; /* const char *pattern; /* DESCRIPTION -/* This module controld address extension propagation. +/* This module controls address extension propagation. /* /* ext_prop_mask() takes a comma-separated list of names and /* computes the corresponding mask. The following names are diff --git a/postfix/src/global/input_transp.h b/postfix/src/global/input_transp.h index 74f5a4124..c98c83680 100644 --- a/postfix/src/global/input_transp.h +++ b/postfix/src/global/input_transp.h @@ -1,13 +1,13 @@ -#ifndef _EXT_PROP_INCLUDED_ -#define _EXT_PROP_INCLUDED_ +#ifndef _INPUT_TRANSP_INCLUDED_ +#define _INPUT_TRANSP_INCLUDED_ /*++ /* NAME -/* ext_prop 3h +/* input_transp 3h /* SUMMARY -/* address extension propagation control +/* receive transparency control /* SYNOPSIS -/* #include +/* #include /* DESCRIPTION /* .nf diff --git a/postfix/src/global/int_filt.c b/postfix/src/global/int_filt.c new file mode 100644 index 000000000..1071b10d6 --- /dev/null +++ b/postfix/src/global/int_filt.c @@ -0,0 +1,73 @@ +/*++ +/* NAME +/* int_filt 3 +/* SUMMARY +/* internal mail filter control +/* SYNOPSIS +/* #include +/* +/* int int_filt_flags(class) +/* int class; +/* DESCRIPTION +/* int_filt_flags() determines the appropriate mail filtering +/* flags for the cleanup server, depending on the setting of +/* the internal_mail_filter_classes configuration parameter. +/* +/* Specify one of the following: +/* .IP INT_FILT_NONE +/* Mail that must be excluded from inspection (address probes, etc.). +/* .IP INT_FILT_NOTIFY +/* Postmaster notifications from the smtpd(8) and smtp(8) +/* protocol adapters. +/* .IP INT_FILT_BOUNCE +/* Delivery status notifications from the bounce(8) server. +/* DIAGNOSTICS +/* Fatal: invalid mail category name. +/* LICENSE +/* .ad +/* .fi +/* The Secure Mailer license must be distributed with this software. +/* AUTHOR(S) +/* Wietse Venema +/* IBM T.J. Watson Research +/* P.O. Box 704 +/* Yorktown Heights, NY 10598, USA +/*--*/ + +/* System library. */ + +#include + +/* Utility library. */ + +#include +#include + +/* Global library. */ + +#include +#include +#include + +/* int_filt_flags - map mail class to submission flags */ + +int int_filt_flags(int class) +{ + static NAME_MASK table[] = { + "notify", INT_FILT_NOTIFY, + "bounce", INT_FILT_BOUNCE, + 0, + }; + int filtered_classes = 0; + + if (class && *var_int_filt_classes) { + filtered_classes = + name_mask(VAR_INT_FILT_CLASSES, table, var_int_filt_classes); + if (filtered_classes == 0) + msg_warn("%s: bad input: %s", VAR_INT_FILT_CLASSES, + var_int_filt_classes); + if (filtered_classes & class) + return (CLEANUP_FLAG_FILTER | CLEANUP_FLAG_MILTER); + } + return (0); +} diff --git a/postfix/src/global/int_filt.h b/postfix/src/global/int_filt.h new file mode 100644 index 000000000..932fe3c3b --- /dev/null +++ b/postfix/src/global/int_filt.h @@ -0,0 +1,34 @@ +#ifndef _INT_FILT_INCLUDED_ +#define _INT_FILT_INCLUDED_ + +/*++ +/* NAME +/* int_filt 3h +/* SUMMARY +/* internal mail classification +/* SYNOPSIS +/* #include +/* DESCRIPTION +/* .nf + + /* + * External interface. + */ +#define INT_FILT_NONE (0) +#define INT_FILT_NOTIFY (1<<1) +#define INT_FILT_BOUNCE (1<<2) + +extern int int_filt_flags(int); + +/* LICENSE +/* .ad +/* .fi +/* The Secure Mailer license must be distributed with this software. +/* AUTHOR(S) +/* Wietse Venema +/* IBM T.J. Watson Research +/* P.O. Box 704 +/* Yorktown Heights, NY 10598, USA +/*--*/ + +#endif diff --git a/postfix/src/global/mail_params.c b/postfix/src/global/mail_params.c index 047045353..85fadf3e9 100644 --- a/postfix/src/global/mail_params.c +++ b/postfix/src/global/mail_params.c @@ -105,6 +105,7 @@ /* int var_verify_neg_cache; /* int var_oldlog_compat; /* int var_delay_max_res; +/* char *var_int_filt_classes; /* /* void mail_params_init() /* @@ -273,6 +274,7 @@ int var_strict_encoding; int var_verify_neg_cache; int var_oldlog_compat; int var_delay_max_res; +char *var_int_filt_classes; const char null_format_string[1] = ""; @@ -488,6 +490,7 @@ void mail_params_init() VAR_FLUSH_SERVICE, DEF_FLUSH_SERVICE, &var_flush_service, 1, 0, VAR_VERIFY_SERVICE, DEF_VERIFY_SERVICE, &var_verify_service, 1, 0, VAR_TRACE_SERVICE, DEF_TRACE_SERVICE, &var_trace_service, 1, 0, + VAR_INT_FILT_CLASSES, DEF_INT_FILT_CLASSES, &var_int_filt_classes, 0, 0, 0, }; static CONFIG_STR_FN_TABLE function_str_defaults_2[] = { diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 73a12a195..5ab4dbf55 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -1143,18 +1143,22 @@ extern char *var_smtpd_tls_CAfile; #define DEF_SMTPD_TLS_CA_PATH "" extern char *var_smtpd_tls_CApath; -#define VAR_SMTPD_TLS_PROTO "smtpd_tls_protocols" -#define DEF_SMTPD_TLS_PROTO "" -extern char *var_smtpd_tls_protocols; +#define VAR_SMTPD_TLS_MAND_PROTO "smtpd_tls_mandatory_protocols" +#define DEF_SMTPD_TLS_MAND_PROTO "SSLv3, TLSv1" +extern char *var_smtpd_tls_mand_proto; -#define VAR_SMTPD_TLS_CIPHERS "smtpd_tls_ciphers" -#define DEF_SMTPD_TLS_CIPHERS "export" -extern char *var_smtpd_tls_ciphers; +#define VAR_SMTPD_TLS_MAND_CIPH "smtpd_tls_mandatory_ciphers" +#define DEF_SMTPD_TLS_MAND_CIPH "medium" +extern char *var_smtpd_tls_mand_ciph; #define VAR_SMTPD_TLS_EXCL_CIPH "smtpd_tls_exclude_ciphers" #define DEF_SMTPD_TLS_EXCL_CIPH "" extern char *var_smtpd_tls_excl_ciph; +#define VAR_SMTPD_TLS_MAND_EXCL "smtpd_tls_mandatory_exclude_ciphers" +#define DEF_SMTPD_TLS_MAND_EXCL "" +extern char *var_smtpd_tls_mand_excl; + #define VAR_SMTPD_TLS_512_FILE "smtpd_tls_dh512_param_file" #define DEF_SMTPD_TLS_512_FILE "" extern char *var_smtpd_tls_dh512_param_file; @@ -1255,11 +1259,11 @@ extern char *var_smtp_tls_CAfile; #define DEF_LMTP_TLS_CA_PATH "" extern char *var_smtp_tls_CApath; -#define VAR_SMTP_TLS_CIPHERS "smtp_tls_mandatory_ciphers" -#define DEF_SMTP_TLS_CIPHERS "medium" -#define VAR_LMTP_TLS_CIPHERS "lmtp_tls_mandatory_ciphers" -#define DEF_LMTP_TLS_CIPHERS "medium" -extern char *var_smtp_tls_ciphers; +#define VAR_SMTP_TLS_MAND_CIPH "smtp_tls_mandatory_ciphers" +#define DEF_SMTP_TLS_MAND_CIPH "medium" +#define VAR_LMTP_TLS_MAND_CIPH "lmtp_tls_mandatory_ciphers" +#define DEF_LMTP_TLS_MAND_CIPH "medium" +extern char *var_smtp_tls_mand_ciph; #define VAR_SMTP_TLS_EXCL_CIPH "smtp_tls_exclude_ciphers" #define DEF_SMTP_TLS_EXCL_CIPH "" @@ -2739,6 +2743,14 @@ extern char *var_milt_daemon_name; #define DEF_MILT_V "$" VAR_MAIL_NAME " $" VAR_MAIL_VERSION extern char *var_milt_v; + /* + * What internal mail do we inspect/stamp/etc.? This is not yet safe enough + * to enable world-wide. + */ +#define VAR_INT_FILT_CLASSES "internal_mail_filter_classes" +#define DEF_INT_FILT_CLASSES "" +extern char *var_int_filt_classes; + /* LICENSE /* .ad /* .fi diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index ba8d07ea0..ca75a943e 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,11 +20,23 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20060709" -#define MAIL_VERSION_NUMBER "2.3-RC9" +#define MAIL_RELEASE_DATE "20060711" +#define MAIL_VERSION_NUMBER "2.3.0" + +#ifdef SNAPSHOT +# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE +#else +# define MAIL_VERSION_DATE "" +#endif + +#ifdef NONPROD +# define MAIL_VERSION_PROD "-nonprod" +#else +# define MAIL_VERSION_PROD "" +#endif #define VAR_MAIL_VERSION "mail_version" -#define DEF_MAIL_VERSION MAIL_VERSION_NUMBER +#define DEF_MAIL_VERSION MAIL_VERSION_NUMBER MAIL_VERSION_DATE MAIL_VERSION_PROD extern char *var_mail_version; diff --git a/postfix/src/global/post_mail.c b/postfix/src/global/post_mail.c index 15618eb1b..56a94654c 100644 --- a/postfix/src/global/post_mail.c +++ b/postfix/src/global/post_mail.c @@ -6,28 +6,28 @@ /* SYNOPSIS /* #include /* -/* VSTREAM *post_mail_fopen(sender, recipient, cleanup_flags, trace_flags, +/* VSTREAM *post_mail_fopen(sender, recipient, filter_class, trace_flags, /* queue_id) /* const char *sender; /* const char *recipient; -/* int cleanup_flags; +/* int filter_class; /* int trace_flags; /* VSTRING *queue_id; /* /* VSTREAM *post_mail_fopen_nowait(sender, recipient, -/* cleanup_flags, trace_flags, queue_id) +/* filter_class, trace_flags, queue_id) /* const char *sender; /* const char *recipient; -/* int cleanup_flags; +/* int filter_class; /* int trace_flags; /* VSTRING *queue_id; /* /* void post_mail_fopen_async(sender, recipient, -/* cleanup_flags, trace_flags, +/* filter_class, trace_flags, /* queue_id, notify, context) /* const char *sender; /* const char *recipient; -/* int cleanup_flags; +/* int filter_class; /* int trace_flags; /* VSTRING *queue_id; /* void (*notify)(VSTREAM *stream, char *context); @@ -95,9 +95,11 @@ /* .IP recipient /* The recipient envelope address. It is up to the application /* to produce To: headers. -/* .IP cleanup_flags -/* The binary OR of zero or more of the options defined in -/* \fB\fR. +/* .IP filter_class +/* The internal mail filtering class, as defined in +/* \fB\fR. Depending on the setting of the +/* internal_mail_filter_classes parameter the message will or +/* won't be subject to content inspection. /* .IP trace_flags /* Message tracing flags as specified in \fB\fR. /* .IP queue_id @@ -169,7 +171,7 @@ typedef struct { char *sender; char *recipient; - int cleanup_flags; + int filter_class; int trace_flags; POST_MAIL_NOTIFY notify; void *context; @@ -181,12 +183,14 @@ typedef struct { static void post_mail_init(VSTREAM *stream, const char *sender, const char *recipient, - int cleanup_flags, int trace_flags, + int filter_class, int trace_flags, VSTRING *queue_id) { VSTRING *id = queue_id ? queue_id : vstring_alloc(100); struct timeval now; const char *date; + int cleanup_flags = + int_filt_flags(filter_class) | CLEANUP_FLAG_MASK_INTERNAL; GETTIMEOFDAY(&now); date = mail_date(now.tv_sec); @@ -231,13 +235,13 @@ static void post_mail_init(VSTREAM *stream, const char *sender, /* post_mail_fopen - prepare for posting a message */ VSTREAM *post_mail_fopen(const char *sender, const char *recipient, - int cleanup_flags, int trace_flags, + int filter_class, int trace_flags, VSTRING *queue_id) { VSTREAM *stream; stream = mail_connect_wait(MAIL_CLASS_PUBLIC, var_cleanup_service); - post_mail_init(stream, sender, recipient, cleanup_flags, trace_flags, + post_mail_init(stream, sender, recipient, filter_class, trace_flags, queue_id); return (stream); } @@ -245,14 +249,14 @@ VSTREAM *post_mail_fopen(const char *sender, const char *recipient, /* post_mail_fopen_nowait - prepare for posting a message */ VSTREAM *post_mail_fopen_nowait(const char *sender, const char *recipient, - int cleanup_flags, int trace_flags, + int filter_class, int trace_flags, VSTRING *queue_id) { VSTREAM *stream; if ((stream = mail_connect(MAIL_CLASS_PUBLIC, var_cleanup_service, BLOCKING)) != 0) - post_mail_init(stream, sender, recipient, cleanup_flags, trace_flags, + post_mail_init(stream, sender, recipient, filter_class, trace_flags, queue_id); return (stream); } @@ -292,7 +296,7 @@ static void post_mail_open_event(int event, char *context) event_cancel_timer(post_mail_open_event, context); event_disable_readwrite(vstream_fileno(state->stream)); post_mail_init(state->stream, state->sender, - state->recipient, state->cleanup_flags, + state->recipient, state->filter_class, state->trace_flags, state->queue_id); myfree(state->sender); myfree(state->recipient); @@ -343,7 +347,7 @@ static void post_mail_open_event(int event, char *context) /* post_mail_fopen_async - prepare for posting a message */ void post_mail_fopen_async(const char *sender, const char *recipient, - int cleanup_flags, int trace_flags, + int filter_class, int trace_flags, VSTRING *queue_id, void (*notify) (VSTREAM *, void *), void *context) @@ -355,7 +359,7 @@ void post_mail_fopen_async(const char *sender, const char *recipient, state = (POST_MAIL_STATE *) mymalloc(sizeof(*state)); state->sender = mystrdup(sender); state->recipient = mystrdup(recipient); - state->cleanup_flags = cleanup_flags; + state->filter_class = filter_class; state->trace_flags = trace_flags; state->notify = notify; state->context = context; diff --git a/postfix/src/global/post_mail.h b/postfix/src/global/post_mail.h index e55a8d166..b76a2510e 100644 --- a/postfix/src/global/post_mail.h +++ b/postfix/src/global/post_mail.h @@ -21,6 +21,7 @@ * Global library. */ #include +#include /* * External interface. diff --git a/postfix/src/milter/milter.c b/postfix/src/milter/milter.c index 2ab2a516e..fef14721e 100644 --- a/postfix/src/milter/milter.c +++ b/postfix/src/milter/milter.c @@ -709,13 +709,13 @@ MILTERS *milter_receive(VSTREAM *stream, int count) return (0); } if (head == 0) { - head = milter; + /* Coverity: milter_free() depends on milters->milter_list. */ + milters->milter_list = head = milter; } else { tail->next = milter; } tail = milter; } - milters->milter_list = head; (void) attr_print(stream, ATTR_FLAG_NONE, ATTR_TYPE_INT, MAIL_ATTR_STATUS, 0, diff --git a/postfix/src/milter/milter8.c b/postfix/src/milter/milter8.c index c2df1b732..8566d882e 100644 --- a/postfix/src/milter/milter8.c +++ b/postfix/src/milter/milter8.c @@ -1916,6 +1916,9 @@ static void milter8_header(void *ptr, int unused_header_class, * expose the first header to mail filter applications, otherwise the * dk-filter signature will be inserted at the wrong position. It should * precede the headers that it signs. + * + * XXX Sendmail compatibility. It eats the first space (not tab) after the + * header label and ":". */ if (msg_ctx->first_header) { msg_ctx->first_header = 0; @@ -1939,8 +1942,8 @@ static void milter8_header(void *ptr, int unused_header_class, if (*cp != ':') msg_panic("%s: header label not followed by ':'", myname); *cp++ = 0; - /* XXX Following matches mime_state.c */ - while (*cp == ' ' || *cp == '\t') + /* XXX Sendmail 8.13.6 eats one space (not tab) after colon. */ + if (*cp == ' ') cp++; #ifdef SMFIP_NOHREPL skip_reply = ((milter->ev_mask & SMFIP_NOHREPL) != 0); diff --git a/postfix/src/smtp/lmtp_params.c b/postfix/src/smtp/lmtp_params.c index f59b0d0b2..fa488781e 100644 --- a/postfix/src/smtp/lmtp_params.c +++ b/postfix/src/smtp/lmtp_params.c @@ -16,7 +16,7 @@ VAR_LMTP_TLS_DKEY_FILE, DEF_LMTP_TLS_DKEY_FILE, &var_smtp_tls_dkey_file, 0, 0, VAR_LMTP_TLS_CA_FILE, DEF_LMTP_TLS_CA_FILE, &var_smtp_tls_CAfile, 0, 0, VAR_LMTP_TLS_CA_PATH, DEF_LMTP_TLS_CA_PATH, &var_smtp_tls_CApath, 0, 0, - VAR_LMTP_TLS_CIPHERS, DEF_LMTP_TLS_CIPHERS, &var_smtp_tls_ciphers, 1, 0, + VAR_LMTP_TLS_MAND_CIPH, DEF_LMTP_TLS_MAND_CIPH, &var_smtp_tls_mand_ciph, 1, 0, VAR_LMTP_TLS_EXCL_CIPH, DEF_LMTP_TLS_EXCL_CIPH, &var_smtp_tls_excl_ciph, 0, 0, VAR_LMTP_TLS_MAND_EXCL, DEF_LMTP_TLS_MAND_EXCL, &var_smtp_tls_mand_excl, 0, 0, VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0, diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index 103cbb95f..7fdbf780d 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -170,12 +170,12 @@ /* .IP "\fBsmtp_discard_ehlo_keyword_address_maps (empty)\fR" /* Lookup tables, indexed by the remote SMTP server address, with /* case insensitive lists of EHLO keywords (pipelining, starttls, auth, -/* etc.) that the SMTP client will ignore in the EHLO response from a +/* etc.) that the Postfix SMTP client will ignore in the EHLO response from a /* remote SMTP server. /* .IP "\fBsmtp_discard_ehlo_keywords (empty)\fR" /* A case insensitive list of EHLO keywords (pipelining, starttls, -/* auth, etc.) that the SMTP client will ignore in the EHLO response -/* from a remote SMTP server. +/* auth, etc.) that the Postfix SMTP client will ignore in the EHLO +/* response from a remote SMTP server. /* .IP "\fBsmtp_generic_maps (empty)\fR" /* Optional lookup tables that perform address rewriting in the /* SMTP client, typically to transform a locally valid address into @@ -212,8 +212,8 @@ /* .fi /* Available in Postfix version 2.1 and later: /* .IP "\fBsmtp_send_xforward_command (no)\fR" -/* Send the non-standard XFORWARD command when the Postfix SMTP server EHLO -/* response announces XFORWARD support. +/* Send the non-standard XFORWARD command when the Postfix SMTP server +/* EHLO response announces XFORWARD support. /* SASL AUTHENTICATION CONTROLS /* .ad /* .fi @@ -235,11 +235,12 @@ /* .PP /* Available in Postfix version 2.3 and later: /* .IP "\fBsmtp_sasl_auth_enforce (yes)\fR" -/* Defer mail delivery when an SMTP server does not support SASL -/* authentication, while smtp_sasl_password_maps contains SASL -/* login/password information for that server. +/* If sender-dependent SASL passwords are turned off, defer mail +/* delivery when an SMTP server does not support SASL authentication, +/* while smtp_sasl_password_maps contains SASL login/password information +/* for that server. /* .IP "\fBsmtp_sender_dependent_authentication (no)\fR" -/* Enable sender-dependent authentication in the SMTP client; this is +/* Enable sender-dependent authentication in the Postfix SMTP client; this is /* available only with SASL authentication, and disables SMTP connection /* caching to ensure that mail from different senders will use the /* appropriate credentials. @@ -275,15 +276,16 @@ /* .IP "\fBsmtp_tls_cert_file (empty)\fR" /* File with the Postfix SMTP client RSA certificate in PEM format. /* .IP "\fBsmtp_tls_mandatory_ciphers (medium)\fR" -/* The minimum SMTP client TLS cipher grade that is strong enough to -/* be used with the "encrypt" security level and higher. +/* The minimum TLS cipher grade that the Postfix SMTP client will +/* use with +/* mandatory TLS encryption. /* .IP "\fBsmtp_tls_exclude_ciphers (empty)\fR" -/* List of ciphers or cipher types to exclude from the SMTP client cipher -/* list at all security levels. +/* List of ciphers or cipher types to exclude from the Postfix +/* SMTP client cipher +/* list at all TLS security levels. /* .IP "\fBsmtp_tls_mandatory_exclude_ciphers (empty)\fR" -/* List of ciphers or cipher types to exclude from the SMTP client -/* cipher list at the mandatory TLS security levels: "encrypt", "verify" -/* and "secure". +/* Additional list of ciphers or cipher types to exclude from the +/* SMTP client cipher list at mandatory TLS security levels. /* .IP "\fBsmtp_tls_dcert_file (empty)\fR" /* File with the Postfix SMTP client DSA certificate in PEM format. /* .IP "\fBsmtp_tls_dkey_file ($smtp_tls_dcert_file)\fR" @@ -295,13 +297,6 @@ /* .IP "\fBsmtp_tls_note_starttls_offer (no)\fR" /* Log the hostname of a remote SMTP server that offers STARTTLS, /* when TLS is not already enabled for that server. -/* .IP "\fBsmtp_tls_policy_maps (empty)\fR" -/* Optional lookup tables with the Postfix SMTP client TLS security -/* policy by next-hop destination; when a non-empty value is specified, -/* this overrides the obsolete smtp_tls_per_site parameter. -/* .IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR" -/* List of TLS protocol versions that are secure enough to be used -/* with the "encrypt" security level and higher. /* .IP "\fBsmtp_tls_scert_verifydepth (5)\fR" /* The verification depth for remote SMTP server certificates. /* .IP "\fBsmtp_tls_secure_cert_match (nexthop, dot-nexthop)\fR" @@ -350,12 +345,15 @@ /* Enforcement mode: require that remote SMTP servers use TLS /* encryption, and never send mail in the clear. /* .IP "\fBsmtp_tls_enforce_peername (yes)\fR" -/* When TLS encryption is enforced, require that the remote SMTP +/* With mandatory TLS encryption, require that the remote SMTP /* server hostname matches the information in the remote SMTP server /* certificate. /* .IP "\fBsmtp_tls_per_site (empty)\fR" /* Optional lookup tables with the Postfix SMTP client TLS usage /* policy by next-hop destination and by remote SMTP server hostname. +/* .IP "\fBsmtp_tls_cipherlist (empty)\fR" +/* Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS +/* cipher list. /* RESOURCE AND RATE CONTROLS /* .ad /* .fi @@ -444,6 +442,10 @@ /* The recipient of postmaster notifications about mail delivery /* problems that are caused by policy, resource, software or protocol /* errors. +/* .IP "\fBinternal_mail_filter_classes (empty)\fR" +/* What categories of Postfix-generated mail are subject to +/* before-queue content inspection by non_smtpd_milters, header_checks +/* and body_checks. /* .IP "\fBnotify_classes (resource, software)\fR" /* The list of error classes that are reported to the postmaster. /* MISCELLANEOUS CONTROLS @@ -488,17 +490,17 @@ /* The network interface addresses that this mail system receives mail /* on by way of a proxy or network address translation unit. /* .IP "\fBsmtp_bind_address (empty)\fR" -/* An optional numerical network address that the SMTP client should -/* bind to when making an IPv4 connection. +/* An optional numerical network address that the Postfix SMTP client +/* should bind to when making an IPv4 connection. /* .IP "\fBsmtp_bind_address6 (empty)\fR" -/* An optional numerical network address that the SMTP client should -/* bind to when making an IPv6 connection. +/* An optional numerical network address that the Postfix SMTP client +/* should bind to when making an IPv6 connection. /* .IP "\fBsmtp_helo_name ($myhostname)\fR" /* The hostname to send in the SMTP EHLO or HELO command. /* .IP "\fBlmtp_lhlo_name ($myhostname)\fR" /* The hostname to send in the LMTP LHLO command. /* .IP "\fBsmtp_host_lookup (dns)\fR" -/* What mechanisms when the SMTP client uses to look up a host's IP +/* What mechanisms when the Postfix SMTP client uses to look up a host's IP /* address. /* .IP "\fBsmtp_randomize_addresses (yes)\fR" /* Randomize the order of equal-preference MX host addresses. @@ -672,7 +674,7 @@ int var_smtp_starttls_tmout; char *var_smtp_tls_CAfile; char *var_smtp_tls_CApath; char *var_smtp_tls_cert_file; -char *var_smtp_tls_ciphers; +char *var_smtp_tls_mand_ciph; char *var_smtp_tls_excl_ciph; char *var_smtp_tls_mand_excl; char *var_smtp_tls_dcert_file; @@ -831,6 +833,7 @@ static void post_init(char *unused_name, char **unused_argv) static void pre_init(char *unused_name, char **unused_argv) { + int use_tls; /* * Turn on per-peer debugging. @@ -848,12 +851,15 @@ static void pre_init(char *unused_name, char **unused_argv) VAR_SMTP_SASL_ENABLE); #endif + if (*var_smtp_tls_level) + use_tls = tls_level_lookup(var_smtp_tls_level) > TLS_LEV_NONE; + else + use_tls = var_smtp_enforce_tls || var_smtp_use_tls; + /* * Initialize the TLS data before entering the chroot jail */ - if (tls_level_lookup(var_smtp_tls_level) > TLS_LEV_NONE || - var_smtp_use_tls || var_smtp_enforce_tls || - var_smtp_tls_per_site[0] || var_smtp_tls_policy[0]) { + if (use_tls || var_smtp_tls_per_site[0] || var_smtp_tls_policy[0]) { #ifdef USE_TLS tls_client_init_props props; diff --git a/postfix/src/smtp/smtp_chat.c b/postfix/src/smtp/smtp_chat.c index e5ce59185..82ea27564 100644 --- a/postfix/src/smtp/smtp_chat.c +++ b/postfix/src/smtp/smtp_chat.c @@ -406,7 +406,7 @@ void smtp_chat_notify(SMTP_SESSION *session) notice = post_mail_fopen_nowait(mail_addr_double_bounce(), var_error_rcpt, - CLEANUP_FLAG_MASK_INTERNAL, + INT_FILT_NOTIFY, NULL_TRACE_FLAGS, NO_QUEUE_ID); if (notice == 0) { msg_warn("postmaster notify: %m"); diff --git a/postfix/src/smtp/smtp_params.c b/postfix/src/smtp/smtp_params.c index 4f8c997e3..540da3781 100644 --- a/postfix/src/smtp/smtp_params.c +++ b/postfix/src/smtp/smtp_params.c @@ -17,7 +17,7 @@ VAR_SMTP_TLS_DKEY_FILE, DEF_SMTP_TLS_DKEY_FILE, &var_smtp_tls_dkey_file, 0, 0, VAR_SMTP_TLS_CA_FILE, DEF_SMTP_TLS_CA_FILE, &var_smtp_tls_CAfile, 0, 0, VAR_SMTP_TLS_CA_PATH, DEF_SMTP_TLS_CA_PATH, &var_smtp_tls_CApath, 0, 0, - VAR_SMTP_TLS_CIPHERS, DEF_SMTP_TLS_CIPHERS, &var_smtp_tls_ciphers, 1, 0, + VAR_SMTP_TLS_MAND_CIPH, DEF_SMTP_TLS_MAND_CIPH, &var_smtp_tls_mand_ciph, 1, 0, VAR_SMTP_TLS_EXCL_CIPH, DEF_SMTP_TLS_EXCL_CIPH, &var_smtp_tls_excl_ciph, 0, 0, VAR_SMTP_TLS_MAND_EXCL, DEF_SMTP_TLS_MAND_EXCL, &var_smtp_tls_mand_excl, 0, 0, VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0, diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c index e187f6efe..b66d91a9f 100644 --- a/postfix/src/smtp/smtp_proto.c +++ b/postfix/src/smtp/smtp_proto.c @@ -602,6 +602,7 @@ int smtp_helo(SMTP_STATE *state) return (smtp_sasl_helo_login(state)); else if (var_smtp_sasl_enable && *var_smtp_sasl_passwd + && !var_smtp_sender_auth && var_smtp_sasl_enforce && smtp_sasl_passwd_lookup(session) != 0) return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, diff --git a/postfix/src/smtp/smtp_session.c b/postfix/src/smtp/smtp_session.c index b0b487c8a..abb32789b 100644 --- a/postfix/src/smtp/smtp_session.c +++ b/postfix/src/smtp/smtp_session.c @@ -355,7 +355,7 @@ static void set_cipherlist(SMTP_SESSION *session, int cipher_level, int lmtp) case TLS_LEV_ENCRYPT: also_exclude = "eNULL"; if (cipher_level == TLS_CIPHER_NONE) - cipher_level = tls_cipher_level(var_smtp_tls_ciphers); + cipher_level = tls_cipher_level(var_smtp_tls_mand_ciph); mand_exclude = var_smtp_tls_mand_excl; break; @@ -363,7 +363,7 @@ static void set_cipherlist(SMTP_SESSION *session, int cipher_level, int lmtp) case TLS_LEV_SECURE: also_exclude = "aNULL"; if (cipher_level == TLS_CIPHER_NONE) - cipher_level = tls_cipher_level(var_smtp_tls_ciphers); + cipher_level = tls_cipher_level(var_smtp_tls_mand_ciph); mand_exclude = var_smtp_tls_mand_excl; break; } @@ -372,8 +372,8 @@ static void set_cipherlist(SMTP_SESSION *session, int cipher_level, int lmtp) also_exclude, TLS_END_EXCLUDE); if (cipherlist == 0) { msg_warn("unknown '%s' value '%s' ignored, using 'medium'", - lmtp ? VAR_LMTP_TLS_CIPHERS : VAR_SMTP_TLS_CIPHERS, - var_smtp_tls_ciphers); + lmtp ? VAR_LMTP_TLS_MAND_CIPH : VAR_SMTP_TLS_MAND_CIPH, + var_smtp_tls_mand_ciph); cipherlist = tls_cipher_list(TLS_CIPHER_MEDIUM, exclude, mand_exclude, also_exclude, TLS_END_EXCLUDE); if (cipherlist == 0) diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index d5a005687..8425f1d3b 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -262,12 +262,10 @@ /* .fi /* Detailed information about STARTTLS configuration may be /* found in the TLS_README document. -/* .IP "\fBsmtpd_use_tls (no)\fR" -/* Opportunistic TLS: announce STARTTLS support to SMTP clients, -/* but do not require that clients use TLS encryption. -/* .IP "\fBsmtpd_enforce_tls (no)\fR" -/* Mandatory TLS: announce STARTTLS support to SMTP clients, -/* and require that clients use TLS encryption. +/* .IP "\fBsmtpd_tls_security_level (empty)\fR" +/* The SMTP TLS security level for the Postfix SMTP server; when +/* a non-empty value is specified, this overrides the obsolete parameters +/* smtpd_use_tls and smtpd_enforce_tls. /* .IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR" /* The SASL authentication security options that the Postfix SMTP /* server uses for TLS encrypted SMTP sessions. @@ -290,11 +288,9 @@ /* The verification depth for remote SMTP client certificates. /* .IP "\fBsmtpd_tls_cert_file (empty)\fR" /* File with the Postfix SMTP server RSA certificate in PEM format. -/* .IP "\fBsmtpd_tls_ciphers (export)\fR" -/* The minimum acceptable SMTP server TLS cipher grade. /* .IP "\fBsmtpd_tls_exclude_ciphers (empty)\fR" /* List of ciphers or cipher types to exclude from the SMTP server -/* cipher list. +/* cipher list at all TLS security levels. /* .IP "\fBsmtpd_tls_dcert_file (empty)\fR" /* File with the Postfix SMTP server DSA certificate in PEM format. /* .IP "\fBsmtpd_tls_dh1024_param_file (empty)\fR" @@ -309,15 +305,23 @@ /* File with the Postfix SMTP server RSA private key in PEM format. /* .IP "\fBsmtpd_tls_loglevel (0)\fR" /* Enable additional Postfix SMTP server logging of TLS activity. -/* .IP "\fBsmtpd_tls_protocols (empty)\fR" -/* The list of TLS protocols supported by the Postfix SMTP server. +/* .IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR" +/* The minimum TLS cipher grade that the Postfix SMTP server will +/* use with mandatory +/* TLS encryption. +/* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR" +/* Additional list of ciphers or cipher types to exclude from the +/* SMTP server cipher list at mandatory TLS security levels. +/* .IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR" +/* The TLS protocols accepted by the Postfix SMTP server with +/* mandatory TLS encryption. /* .IP "\fBsmtpd_tls_received_header (no)\fR" /* Request that the Postfix SMTP server produces Received: message /* headers that include information about the protocol and cipher used, /* as well as the client CommonName and client certificate issuer /* CommonName. /* .IP "\fBsmtpd_tls_req_ccert (no)\fR" -/* When TLS encryption is enforced, require a remote SMTP client +/* With mandatory TLS encryption, require a remote SMTP client /* certificate in order to allow TLS connections to proceed. /* .IP "\fBsmtpd_tls_session_cache_database (empty)\fR" /* Name of the file containing the optional Postfix SMTP server @@ -332,12 +336,6 @@ /* The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8) /* process requests from the \fBtlsmgr\fR(8) server in order to seed its /* internal pseudo random number generator (PRNG). -/* .PP -/* Available in Postfix version 2.3 and later: -/* .IP "\fBsmtpd_tls_security_level (empty)\fR" -/* The SMTP TLS security level for the Postfix SMTP server; when -/* a non-empty value is specified, this overrides the obsolete parameters -/* smtpd_use_tls and smtpd_enforce_tls. /* .IP "\fBtls_high_cipherlist (!EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH)\fR" /* The OpenSSL cipherlist for "HIGH" grade ciphers. /* .IP "\fBtls_medium_cipherlist (!EXPORT:!LOW:ALL:+RC4:@STRENGTH)\fR" @@ -349,6 +347,21 @@ /* .IP "\fBtls_null_cipherlist (!aNULL:eNULL+kRSA)\fR" /* The OpenSSL cipherlist for "NULL" grade ciphers that provide /* authentication without encryption. +/* OBSOLETE STARTTLS CONTROLS +/* .ad +/* .fi +/* The following configuration parameters exist for compatibility +/* with Postfix versions before 2.3. Support for these will +/* be removed in a future release. +/* .IP "\fBsmtpd_use_tls (no)\fR" +/* Opportunistic TLS: announce STARTTLS support to SMTP clients, +/* but do not require that clients use TLS encryption. +/* .IP "\fBsmtpd_enforce_tls (no)\fR" +/* Mandatory TLS: announce STARTTLS support to SMTP clients, +/* and require that clients use TLS encryption. +/* .IP "\fBsmtpd_tls_cipherlist (empty)\fR" +/* Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS +/* cipher list. /* VERP SUPPORT CONTROLS /* .ad /* .fi @@ -391,6 +404,10 @@ /* The recipient of postmaster notifications about mail delivery /* problems that are caused by policy, resource, software or protocol /* errors. +/* .IP "\fBinternal_mail_filter_classes (empty)\fR" +/* What categories of Postfix-generated mail are subject to +/* before-queue content inspection by non_smtpd_milters, header_checks +/* and body_checks. /* .IP "\fBnotify_classes (resource, software)\fR" /* The list of error classes that are reported to the postmaster. /* .IP "\fBsoft_bounce (no)\fR" @@ -503,7 +520,7 @@ /* .PP /* Available in Postfix version 2.3 and later: /* .IP "\fBsmtpd_peername_lookup (yes)\fR" -/* Attempt to look up the SMTP client hostname, and verify that +/* Attempt to look up the Postfix SMTP client hostname, and verify that /* the name matches the client IP address. /* .PP /* The per SMTP client connection count and request rate limits are @@ -1040,15 +1057,16 @@ bool var_smtpd_tls_ask_ccert; bool var_smtpd_tls_auth_only; int var_smtpd_tls_ccert_vd; char *var_smtpd_tls_cert_file; -char *var_smtpd_tls_ciphers; +char *var_smtpd_tls_mand_ciph; char *var_smtpd_tls_excl_ciph; +char *var_smtpd_tls_mand_excl; char *var_smtpd_tls_dcert_file; char *var_smtpd_tls_dh1024_param_file; char *var_smtpd_tls_dh512_param_file; char *var_smtpd_tls_dkey_file; char *var_smtpd_tls_key_file; int var_smtpd_tls_loglevel; -char *var_smtpd_tls_protocols; +char *var_smtpd_tls_mand_proto; bool var_smtpd_tls_received_header; bool var_smtpd_tls_req_ccert; int var_smtpd_tls_scache_timeout; @@ -4208,9 +4226,9 @@ static void pre_jail_init(char *unused_name, char **unused_argv) props.CApath = var_smtpd_tls_CApath; props.dh1024_param_file = var_smtpd_tls_dh1024_param_file; props.dh512_param_file = var_smtpd_tls_dh512_param_file; - props.protocols = *var_smtpd_tls_protocols ? - tls_protocol_mask(VAR_SMTPD_TLS_PROTO, - var_smtpd_tls_protocols) : 0; + props.protocols = enforce_tls && *var_smtpd_tls_mand_proto ? + tls_protocol_mask(VAR_SMTPD_TLS_MAND_PROTO, + var_smtpd_tls_mand_proto) : 0; props.ask_ccert = var_smtpd_tls_ask_ccert; /* @@ -4232,19 +4250,26 @@ static void pre_jail_init(char *unused_name, char **unused_argv) msg_warn("Can't require client certs unless TLS is required"); props.cipherlist = - tls_cipher_list(tls_cipher_level(var_smtpd_tls_ciphers), + tls_cipher_list(enforce_tls ? + tls_cipher_level(var_smtpd_tls_mand_ciph) : + TLS_CIPHER_EXPORT, var_smtpd_tls_excl_ciph, havecert ? "" : "aRSA aDSS", wantcert ? "aNULL" : "", + enforce_tls ? var_smtpd_tls_mand_excl : + TLS_END_EXCLUDE, TLS_END_EXCLUDE); + if (props.cipherlist == 0) { msg_warn("unknown '%s' value '%s' ignored, using 'export'", - VAR_SMTPD_TLS_CIPHERS, var_smtpd_tls_ciphers); + VAR_SMTPD_TLS_MAND_CIPH, var_smtpd_tls_mand_ciph); props.cipherlist = tls_cipher_list(TLS_CIPHER_EXPORT, var_smtpd_tls_excl_ciph, havecert ? "" : "aRSA aDSS", wantcert ? "aNULL" : "", + enforce_tls ? var_smtpd_tls_mand_excl : + TLS_END_EXCLUDE, TLS_END_EXCLUDE); } if (havecert || oknocert) @@ -4470,14 +4495,15 @@ int main(int argc, char **argv) VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0, VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0, VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0, - VAR_SMTPD_TLS_CIPHERS, DEF_SMTPD_TLS_CIPHERS, &var_smtpd_tls_ciphers, 1, 0, + VAR_SMTPD_TLS_MAND_CIPH, DEF_SMTPD_TLS_MAND_CIPH, &var_smtpd_tls_mand_ciph, 1, 0, VAR_SMTPD_TLS_EXCL_CIPH, DEF_SMTPD_TLS_EXCL_CIPH, &var_smtpd_tls_excl_ciph, 0, 0, + VAR_SMTPD_TLS_MAND_EXCL, DEF_SMTPD_TLS_MAND_EXCL, &var_smtpd_tls_mand_excl, 0, 0, VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0, VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0, VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0, VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_clist, 1, 0, VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0, - VAR_SMTPD_TLS_PROTO, DEF_SMTPD_TLS_PROTO, &var_smtpd_tls_protocols, 0, 0, + VAR_SMTPD_TLS_MAND_PROTO, DEF_SMTPD_TLS_MAND_PROTO, &var_smtpd_tls_mand_proto, 0, 0, VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0, VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0, #endif diff --git a/postfix/src/smtpd/smtpd_chat.c b/postfix/src/smtpd/smtpd_chat.c index 6239d50b1..d37efd99c 100644 --- a/postfix/src/smtpd/smtpd_chat.c +++ b/postfix/src/smtpd/smtpd_chat.c @@ -227,7 +227,7 @@ void smtpd_chat_notify(SMTPD_STATE *state) notice = post_mail_fopen_nowait(mail_addr_double_bounce(), var_error_rcpt, - CLEANUP_FLAG_MASK_INTERNAL, + INT_FILT_NOTIFY, NULL_TRACE_FLAGS, NO_QUEUE_ID); if (notice == 0) { msg_warn("postmaster notify: %m"); diff --git a/postfix/src/verify/verify.c b/postfix/src/verify/verify.c index b656a17d1..c1771fa56 100644 --- a/postfix/src/verify/verify.c +++ b/postfix/src/verify/verify.c @@ -459,7 +459,7 @@ static void verify_query_service(VSTREAM *client_stream) STR(addr), addr_status, now, updated); post_mail_fopen_async(strcmp(var_verify_sender, "<>") == 0 ? "" : var_verify_sender, STR(addr), - CLEANUP_FLAG_MASK_INTERNAL, + INT_FILT_NONE, DEL_REQ_FLAG_MTA_VRFY, (VSTRING *) 0, verify_post_mail_action,